Result Details
Verify File Hashes with RPMxccdf_org.ssgproject.content_rule_rpm_verify_hashes high
Verify File Hashes with RPM
| Rule ID | xccdf_org.ssgproject.content_rule_rpm_verify_hashes |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-rpm_verify_hashes:def:1 |
| Time | 2021-11-16T20:08:35+00:00 |
| Severity | high |
| Identifiers and References | References:
11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000480-GPOS-00227 |
| Description | Without cryptographic integrity protections, system
executables and files can be altered by unauthorized users without
detection.
The RPM package management system can check the hashes of
installed software packages, including many that are important to system
security.
To verify that the cryptographic hash of system files and commands matches vendor
values, run the following command to list which files on the system
have hashes that differ from what is expected by the RPM database:
$ rpm -Va --noconfig | grep '^..5'
A "c" in the second column indicates that a file is a configuration file, which
may appropriately be expected to change. If the file was not expected to
change, investigate the cause of the change using audit logs or other means.
The package can then be reinstalled to restore the file.
Run the following command to determine which package owns the file:
$ rpm -qf FILENAME
The package can be reinstalled from a dnf repository using the command:
$ sudo dnf reinstall PACKAGENAME
Alternatively, the package can be reinstalled from trusted media using the command:
$ sudo rpm -Uvh PACKAGENAME |
| Rationale | The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. |
OVAL test results detailsverify file md5 hashes
oval:ssg-test_files_fail_md5_hash:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_files_fail_md5_hash:obj:1 of type
rpmverifyfile_object
| Behaviors | Name | Epoch | Version | Release | Arch | Filepath | Filter |
|---|
| no value | .* | .* | .* | .* | .* | ^/(bin|sbin|lib|lib64|usr)/.+$ | oval:ssg-state_files_fail_md5_hash:ste:1 |
Enable FIPS Modexccdf_org.ssgproject.content_rule_enable_fips_mode high
Enable FIPS Mode
| Rule ID | xccdf_org.ssgproject.content_rule_enable_fips_mode |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-enable_fips_mode:def:1 |
| Time | 2021-11-16T20:08:35+00:00 |
| Severity | high |
| Identifiers and References | References:
CCI-000068, CCI-000803, CCI-002450, 1446, CIP-003-3 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000478-GPOS-00223, SRG-OS-000396-GPOS-00176, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590 |
| Description | To enable FIPS mode, run the following command:
fips-mode-setup --enable
The fips-mode-setup command will configure the system in
FIPS mode by automatically configuring the following:
- Setting the kernel FIPS mode flag (
/proc/sys/crypto/fips_enabled) to 1 - Creating
/etc/system-fips - Setting the system crypto policy in
/etc/crypto-policies/config to FIPS - Loading the Dracut
fips module
Furthermore, the system running in FIPS mode should be FIPS certified by NIST. |
| Rationale | Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to
protect data. The operating system must implement cryptographic modules adhering to the higher
standards approved by the federal government since this provides assurance they have been tested
and validated. |
| Warnings | warning
The system needs to be rebooted for these changes to take effect. warning
System Crypto Modules must be provided by a vendor that undergoes
FIPS-140 certifications.
FIPS-140 is applicable to all Federal agencies that use
cryptographic-based security systems to protect sensitive information
in computer and telecommunication systems (including voice systems) as
defined in Section 5131 of the Information Technology Management Reform
Act of 1996, Public Law 104-106. This standard shall be used in
designing and implementing cryptographic modules that Federal
departments and agencies operate or are operated for them under
contract. See https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf
To meet this, the system has to have cryptographic software provided by
a vendor that has undergone this certification. This means providing
documentation, test results, design information, and independent third
party review by an accredited lab. While open source software is
capable of meeting this, it does not meet FIPS-140 unless the vendor
submits to this process. |
|
|
OVAL test results details/etc/system-fips exists
oval:ssg-test_etc_system_fips:tst:1
true
Following items have been found on the system:
| Path | Type | UID | GID | Size (B) | Permissions |
|---|
| /etc/system-fips | regular | 0 | 0 | 36 | rw-r--r-- |
kernel runtime parameter crypto.fips_enabled set to 1
oval:ssg-test_sysctl_crypto_fips_enabled:tst:1
false
Following items have been found on the system:
| Name | Value |
|---|
| crypto.fips_enabled | 0 |
add_dracutmodules contains fips
oval:ssg-test_enable_dracut_fips_module:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/dracut.conf.d/40-fips.conf |
add_dracutmodules+=" fips "
|
check for crypto policy correctly configured in /etc/crypto-policies/config
oval:ssg-test_configure_crypto_policy:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/crypto-policies/config | FIPS |
check for crypto policy correctly configured in /etc/crypto-policies/state/current
oval:ssg-test_configure_crypto_policy_current:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/crypto-policies/state/current | FIPS |
Check if update-crypto-policies has been run
oval:ssg-test_crypto_policies_updated:tst:1
true
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-variable_crypto_policies_config_file_timestamp:var:1 | 1637091837 |
Check if /etc/crypto-policies/back-ends/nss.config exists
oval:ssg-test_crypto_policy_nss_config:tst:1
true
Following items have been found on the system:
| Path | Type | UID | GID | Size (B) | Permissions |
|---|
| /etc/crypto-policies/back-ends/nss.config | symbolic link | 0 | 0 | 39 | rwxrwxrwx |
installed OS part of unix family
oval:ssg-test_rhel7_unix_family:tst:1
true
Following items have been found on the system:
installed OS part of unix family
oval:ssg-test_rhel7_unix_family:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_unix_family:obj:1 of type
family_object
redhat-release-client is version 7
oval:ssg-test_rhel7_client:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_client:obj:1 of type
rpminfo_object
| Name |
|---|
| redhat-release-client |
redhat-release-client is version 7
oval:ssg-test_rhel7_client:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_client:obj:1 of type
rpminfo_object
| Name |
|---|
| redhat-release-client |
redhat-release-workstation is version 7
oval:ssg-test_rhel7_workstation:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_workstation:obj:1 of type
rpminfo_object
| Name |
|---|
| redhat-release-workstation |
redhat-release-workstation is version 7
oval:ssg-test_rhel7_workstation:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_workstation:obj:1 of type
rpminfo_object
| Name |
|---|
| redhat-release-workstation |
redhat-release-server is version 7
oval:ssg-test_rhel7_server:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_server:obj:1 of type
rpminfo_object
| Name |
|---|
| redhat-release-server |
redhat-release-server is version 7
oval:ssg-test_rhel7_server:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_server:obj:1 of type
rpminfo_object
| Name |
|---|
| redhat-release-server |
redhat-release-computenode is version 7
oval:ssg-test_rhel7_computenode:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_computenode:obj:1 of type
rpminfo_object
| Name |
|---|
| redhat-release-computenode |
redhat-release-computenode is version 7
oval:ssg-test_rhel7_computenode:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_computenode:obj:1 of type
rpminfo_object
| Name |
|---|
| redhat-release-computenode |
redhat-release-virtualization-host RPM package is installed
oval:ssg-test_rhvh4_version:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type
rpminfo_object
| Name |
|---|
| redhat-release-virtualization-host |
redhat-release-virtualization-host RPM package is installed
oval:ssg-test_rhvh4_version:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type
rpminfo_object
| Name |
|---|
| redhat-release-virtualization-host |
RHEVH base RHEL is version 7
oval:ssg-test_rhevh_rhel7_version:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel7_version:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/redhat-release | ^Red Hat Enterprise Linux release (\d)\.\d+$ | 1 |
RHEVH base RHEL is version 7
oval:ssg-test_rhevh_rhel7_version:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel7_version:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/redhat-release | ^Red Hat Enterprise Linux release (\d)\.\d+$ | 1 |
installed OS part of unix family
oval:ssg-test_rhel7_unix_family:tst:1
true
Following items have been found on the system:
installed OS part of unix family
oval:ssg-test_rhel7_unix_family:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_unix_family:obj:1 of type
family_object
redhat-release-client is version 7
oval:ssg-test_rhel7_client:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_client:obj:1 of type
rpminfo_object
| Name |
|---|
| redhat-release-client |
redhat-release-client is version 7
oval:ssg-test_rhel7_client:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_client:obj:1 of type
rpminfo_object
| Name |
|---|
| redhat-release-client |
redhat-release-workstation is version 7
oval:ssg-test_rhel7_workstation:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_workstation:obj:1 of type
rpminfo_object
| Name |
|---|
| redhat-release-workstation |
redhat-release-workstation is version 7
oval:ssg-test_rhel7_workstation:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_workstation:obj:1 of type
rpminfo_object
| Name |
|---|
| redhat-release-workstation |
redhat-release-server is version 7
oval:ssg-test_rhel7_server:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_server:obj:1 of type
rpminfo_object
| Name |
|---|
| redhat-release-server |
redhat-release-server is version 7
oval:ssg-test_rhel7_server:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_server:obj:1 of type
rpminfo_object
| Name |
|---|
| redhat-release-server |
redhat-release-computenode is version 7
oval:ssg-test_rhel7_computenode:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_computenode:obj:1 of type
rpminfo_object
| Name |
|---|
| redhat-release-computenode |
redhat-release-computenode is version 7
oval:ssg-test_rhel7_computenode:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_computenode:obj:1 of type
rpminfo_object
| Name |
|---|
| redhat-release-computenode |
redhat-release-virtualization-host RPM package is installed
oval:ssg-test_rhvh4_version:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type
rpminfo_object
| Name |
|---|
| redhat-release-virtualization-host |
redhat-release-virtualization-host RPM package is installed
oval:ssg-test_rhvh4_version:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type
rpminfo_object
| Name |
|---|
| redhat-release-virtualization-host |
RHEVH base RHEL is version 7
oval:ssg-test_rhevh_rhel7_version:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel7_version:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/redhat-release | ^Red Hat Enterprise Linux release (\d)\.\d+$ | 1 |
RHEVH base RHEL is version 7
oval:ssg-test_rhevh_rhel7_version:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel7_version:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/redhat-release | ^Red Hat Enterprise Linux release (\d)\.\d+$ | 1 |
installed OS part of unix family
oval:ssg-test_rhel8_unix_family:tst:1
true
Following items have been found on the system:
installed OS part of unix family
oval:ssg-test_rhel8_unix_family:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel8_unix_family:obj:1 of type
family_object
redhat-release is version 8
oval:ssg-test_rhel8:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel8:obj:1 of type
rpminfo_object
redhat-release is version 8
oval:ssg-test_rhel8:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel8:obj:1 of type
rpminfo_object
redhat-release-virtualization-host RPM package is installed
oval:ssg-test_rhvh4_version:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type
rpminfo_object
| Name |
|---|
| redhat-release-virtualization-host |
redhat-release-virtualization-host RPM package is installed
oval:ssg-test_rhvh4_version:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type
rpminfo_object
| Name |
|---|
| redhat-release-virtualization-host |
RHEVH base RHEL is version 8
oval:ssg-test_rhevh_rhel8_version:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel8_version:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/redhat-release | ^Red Hat Enterprise Linux release (\d)\.\d+$ | 1 |
RHEVH base RHEL is version 8
oval:ssg-test_rhevh_rhel8_version:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel8_version:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/redhat-release | ^Red Hat Enterprise Linux release (\d)\.\d+$ | 1 |
installed OS part of unix family
oval:ssg-test_rhel8_unix_family:tst:1
true
Following items have been found on the system:
installed OS part of unix family
oval:ssg-test_rhel8_unix_family:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel8_unix_family:obj:1 of type
family_object
redhat-release is version 8
oval:ssg-test_rhel8:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel8:obj:1 of type
rpminfo_object
redhat-release is version 8
oval:ssg-test_rhel8:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel8:obj:1 of type
rpminfo_object
redhat-release-virtualization-host RPM package is installed
oval:ssg-test_rhvh4_version:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type
rpminfo_object
| Name |
|---|
| redhat-release-virtualization-host |
redhat-release-virtualization-host RPM package is installed
oval:ssg-test_rhvh4_version:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type
rpminfo_object
| Name |
|---|
| redhat-release-virtualization-host |
RHEVH base RHEL is version 8
oval:ssg-test_rhevh_rhel8_version:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel8_version:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/redhat-release | ^Red Hat Enterprise Linux release (\d)\.\d+$ | 1 |
RHEVH base RHEL is version 8
oval:ssg-test_rhevh_rhel8_version:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel8_version:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/redhat-release | ^Red Hat Enterprise Linux release (\d)\.\d+$ | 1 |
os-release is rhcos
oval:ssg-test_rhcos:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhcos:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/os-release | ^ID="(\w+)"$ | 1 |
os-release is rhcos
oval:ssg-test_rhcos:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhcos:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/os-release | ^ID="(\w+)"$ | 1 |
rhcoreos is version 4
oval:ssg-test_rhcos4:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhcos4:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/os-release | ^VERSION_ID="(\d)\.\d+"$ | 1 |
rhcoreos is version 4
oval:ssg-test_rhcos4:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhcos4:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/os-release | ^VERSION_ID="(\d)\.\d+"$ | 1 |
os-release is rhcos
oval:ssg-test_rhcos:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhcos:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/os-release | ^ID="(\w+)"$ | 1 |
os-release is rhcos
oval:ssg-test_rhcos:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhcos:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/os-release | ^ID="(\w+)"$ | 1 |
rhcoreos is version 4
oval:ssg-test_rhcos4:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhcos4:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/os-release | ^VERSION_ID="(\d)\.\d+"$ | 1 |
rhcoreos is version 4
oval:ssg-test_rhcos4:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhcos4:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/os-release | ^VERSION_ID="(\d)\.\d+"$ | 1 |
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
oraclelinux-release is version 7
oval:ssg-test_ol7_system:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_ol7_system:obj:1 of type
rpminfo_object
oraclelinux-release is version 7
oval:ssg-test_ol7_system:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_ol7_system:obj:1 of type
rpminfo_object
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
oraclelinux-release is version 7
oval:ssg-test_ol7_system:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_ol7_system:obj:1 of type
rpminfo_object
oraclelinux-release is version 7
oval:ssg-test_ol7_system:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_ol7_system:obj:1 of type
rpminfo_object
installed OS part of unix family
oval:ssg-test_sle12_unix_family:tst:1
true
Following items have been found on the system:
installed OS part of unix family
oval:ssg-test_sle12_unix_family:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_sle12_unix_family:obj:1 of type
family_object
sled-release is version 6
oval:ssg-test_sle12_desktop:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_sle12_desktop:obj:1 of type
rpminfo_object
sled-release is version 6
oval:ssg-test_sle12_desktop:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_sle12_desktop:obj:1 of type
rpminfo_object
sles-release is version 6
oval:ssg-test_sle12_server:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_sle12_server:obj:1 of type
rpminfo_object
sles-release is version 6
oval:ssg-test_sle12_server:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_sle12_server:obj:1 of type
rpminfo_object
SLES_SAP-release is version 12
oval:ssg-test_sles_12_for_sap:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_sles_12_for_sap:obj:1 of type
rpminfo_object
SLES_SAP-release is version 12
oval:ssg-test_sles_12_for_sap:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_sles_12_for_sap:obj:1 of type
rpminfo_object
installed OS part of unix family
oval:ssg-test_sle12_unix_family:tst:1
true
Following items have been found on the system:
installed OS part of unix family
oval:ssg-test_sle12_unix_family:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_sle12_unix_family:obj:1 of type
family_object
sled-release is version 6
oval:ssg-test_sle12_desktop:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_sle12_desktop:obj:1 of type
rpminfo_object
sled-release is version 6
oval:ssg-test_sle12_desktop:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_sle12_desktop:obj:1 of type
rpminfo_object
sles-release is version 6
oval:ssg-test_sle12_server:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_sle12_server:obj:1 of type
rpminfo_object
sles-release is version 6
oval:ssg-test_sle12_server:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_sle12_server:obj:1 of type
rpminfo_object
SLES_SAP-release is version 12
oval:ssg-test_sles_12_for_sap:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_sles_12_for_sap:obj:1 of type
rpminfo_object
SLES_SAP-release is version 12
oval:ssg-test_sles_12_for_sap:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_sles_12_for_sap:obj:1 of type
rpminfo_object
installed OS part of unix family
oval:ssg-test_sle15_unix_family:tst:1
true
Following items have been found on the system:
installed OS part of unix family
oval:ssg-test_sle15_unix_family:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_sle15_unix_family:obj:1 of type
family_object
sled-release is version 15
oval:ssg-test_sle15_desktop:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_sle15_desktop:obj:1 of type
rpminfo_object
sled-release is version 15
oval:ssg-test_sle15_desktop:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_sle15_desktop:obj:1 of type
rpminfo_object
sles-release is version 15
oval:ssg-test_sle15_server:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_sle15_server:obj:1 of type
rpminfo_object
sles-release is version 15
oval:ssg-test_sle15_server:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_sle15_server:obj:1 of type
rpminfo_object
SLES_SAP-release is version 15
oval:ssg-test_sles_15_for_sap:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_sles_15_for_sap:obj:1 of type
rpminfo_object
SLES_SAP-release is version 15
oval:ssg-test_sles_15_for_sap:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_sles_15_for_sap:obj:1 of type
rpminfo_object
installed OS part of unix family
oval:ssg-test_sle15_unix_family:tst:1
true
Following items have been found on the system:
installed OS part of unix family
oval:ssg-test_sle15_unix_family:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_sle15_unix_family:obj:1 of type
family_object
sled-release is version 15
oval:ssg-test_sle15_desktop:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_sle15_desktop:obj:1 of type
rpminfo_object
sled-release is version 15
oval:ssg-test_sle15_desktop:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_sle15_desktop:obj:1 of type
rpminfo_object
sles-release is version 15
oval:ssg-test_sle15_server:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_sle15_server:obj:1 of type
rpminfo_object
sles-release is version 15
oval:ssg-test_sle15_server:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_sle15_server:obj:1 of type
rpminfo_object
SLES_SAP-release is version 15
oval:ssg-test_sles_15_for_sap:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_sles_15_for_sap:obj:1 of type
rpminfo_object
SLES_SAP-release is version 15
oval:ssg-test_sles_15_for_sap:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_sles_15_for_sap:obj:1 of type
rpminfo_object
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
/etc/lsb-release exists
oval:ssg-test_lsb:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type
file_object
/etc/lsb-release exists
oval:ssg-test_lsb:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type
file_object
Check Ubuntu
oval:ssg-test_ubuntu:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/lsb-release | ^DISTRIB_ID=Ubuntu$ | 1 |
Check Ubuntu
oval:ssg-test_ubuntu:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/lsb-release | ^DISTRIB_ID=Ubuntu$ | 1 |
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
/etc/lsb-release exists
oval:ssg-test_lsb:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type
file_object
/etc/lsb-release exists
oval:ssg-test_lsb:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type
file_object
Check Ubuntu
oval:ssg-test_ubuntu:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/lsb-release | ^DISTRIB_ID=Ubuntu$ | 1 |
Check Ubuntu
oval:ssg-test_ubuntu:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/lsb-release | ^DISTRIB_ID=Ubuntu$ | 1 |
Check Ubuntu version
oval:ssg-test_ubuntu_xenial:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu_xenial:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/lsb-release | ^DISTRIB_CODENAME=xenial$ | 1 |
Check Ubuntu version
oval:ssg-test_ubuntu_xenial:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu_xenial:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/lsb-release | ^DISTRIB_CODENAME=xenial$ | 1 |
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
/etc/lsb-release exists
oval:ssg-test_lsb:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type
file_object
/etc/lsb-release exists
oval:ssg-test_lsb:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type
file_object
Check Ubuntu
oval:ssg-test_ubuntu:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/lsb-release | ^DISTRIB_ID=Ubuntu$ | 1 |
Check Ubuntu
oval:ssg-test_ubuntu:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/lsb-release | ^DISTRIB_ID=Ubuntu$ | 1 |
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
/etc/lsb-release exists
oval:ssg-test_lsb:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type
file_object
/etc/lsb-release exists
oval:ssg-test_lsb:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type
file_object
Check Ubuntu
oval:ssg-test_ubuntu:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/lsb-release | ^DISTRIB_ID=Ubuntu$ | 1 |
Check Ubuntu
oval:ssg-test_ubuntu:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/lsb-release | ^DISTRIB_ID=Ubuntu$ | 1 |
Check Ubuntu version
oval:ssg-test_ubuntu_xenial:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu_xenial:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/lsb-release | ^DISTRIB_CODENAME=xenial$ | 1 |
Check Ubuntu version
oval:ssg-test_ubuntu_xenial:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu_xenial:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/lsb-release | ^DISTRIB_CODENAME=xenial$ | 1 |
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
/etc/lsb-release exists
oval:ssg-test_lsb:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type
file_object
/etc/lsb-release exists
oval:ssg-test_lsb:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type
file_object
Check Ubuntu
oval:ssg-test_ubuntu:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/lsb-release | ^DISTRIB_ID=Ubuntu$ | 1 |
Check Ubuntu
oval:ssg-test_ubuntu:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/lsb-release | ^DISTRIB_ID=Ubuntu$ | 1 |
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
/etc/lsb-release exists
oval:ssg-test_lsb:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type
file_object
/etc/lsb-release exists
oval:ssg-test_lsb:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type
file_object
Check Ubuntu
oval:ssg-test_ubuntu:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/lsb-release | ^DISTRIB_ID=Ubuntu$ | 1 |
Check Ubuntu
oval:ssg-test_ubuntu:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/lsb-release | ^DISTRIB_ID=Ubuntu$ | 1 |
Check Ubuntu version
oval:ssg-test_ubuntu_bionic:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu_bionic:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/lsb-release | ^DISTRIB_CODENAME=bionic$ | 1 |
Check Ubuntu version
oval:ssg-test_ubuntu_bionic:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu_bionic:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/lsb-release | ^DISTRIB_CODENAME=bionic$ | 1 |
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
/etc/lsb-release exists
oval:ssg-test_lsb:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type
file_object
/etc/lsb-release exists
oval:ssg-test_lsb:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type
file_object
Check Ubuntu
oval:ssg-test_ubuntu:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/lsb-release | ^DISTRIB_ID=Ubuntu$ | 1 |
Check Ubuntu
oval:ssg-test_ubuntu:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/lsb-release | ^DISTRIB_ID=Ubuntu$ | 1 |
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
/etc/lsb-release exists
oval:ssg-test_lsb:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type
file_object
/etc/lsb-release exists
oval:ssg-test_lsb:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type
file_object
Check Ubuntu
oval:ssg-test_ubuntu:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/lsb-release | ^DISTRIB_ID=Ubuntu$ | 1 |
Check Ubuntu
oval:ssg-test_ubuntu:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/lsb-release | ^DISTRIB_ID=Ubuntu$ | 1 |
Check Ubuntu version
oval:ssg-test_ubuntu_bionic:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu_bionic:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/lsb-release | ^DISTRIB_CODENAME=bionic$ | 1 |
Check Ubuntu version
oval:ssg-test_ubuntu_bionic:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu_bionic:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/lsb-release | ^DISTRIB_CODENAME=bionic$ | 1 |
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
/etc/lsb-release exists
oval:ssg-test_lsb:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type
file_object
/etc/lsb-release exists
oval:ssg-test_lsb:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type
file_object
Check Ubuntu
oval:ssg-test_ubuntu:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/lsb-release | ^DISTRIB_ID=Ubuntu$ | 1 |
Check Ubuntu
oval:ssg-test_ubuntu:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/lsb-release | ^DISTRIB_ID=Ubuntu$ | 1 |
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
/etc/lsb-release exists
oval:ssg-test_lsb:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type
file_object
/etc/lsb-release exists
oval:ssg-test_lsb:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type
file_object
Check Ubuntu
oval:ssg-test_ubuntu:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/lsb-release | ^DISTRIB_ID=Ubuntu$ | 1 |
Check Ubuntu
oval:ssg-test_ubuntu:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/lsb-release | ^DISTRIB_ID=Ubuntu$ | 1 |
Check Ubuntu version
oval:ssg-test_ubuntu_focal:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu_focal:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/lsb-release | ^DISTRIB_CODENAME=focal$ | 1 |
Check Ubuntu version
oval:ssg-test_ubuntu_focal:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu_focal:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/lsb-release | ^DISTRIB_CODENAME=focal$ | 1 |
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
/etc/lsb-release exists
oval:ssg-test_lsb:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type
file_object
/etc/lsb-release exists
oval:ssg-test_lsb:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type
file_object
Check Ubuntu
oval:ssg-test_ubuntu:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/lsb-release | ^DISTRIB_ID=Ubuntu$ | 1 |
Check Ubuntu
oval:ssg-test_ubuntu:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/lsb-release | ^DISTRIB_ID=Ubuntu$ | 1 |
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
/etc/lsb-release exists
oval:ssg-test_lsb:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type
file_object
/etc/lsb-release exists
oval:ssg-test_lsb:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_lsb:obj:1 of type
file_object
Check Ubuntu
oval:ssg-test_ubuntu:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/lsb-release | ^DISTRIB_ID=Ubuntu$ | 1 |
Check Ubuntu
oval:ssg-test_ubuntu:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/lsb-release | ^DISTRIB_ID=Ubuntu$ | 1 |
Check Ubuntu version
oval:ssg-test_ubuntu_focal:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu_focal:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/lsb-release | ^DISTRIB_CODENAME=focal$ | 1 |
Check Ubuntu version
oval:ssg-test_ubuntu_focal:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_ubuntu_focal:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/lsb-release | ^DISTRIB_CODENAME=focal$ | 1 |
tests if var_system_crypto_policy is set to FIPS
oval:ssg-test_system_crypto_policy_value:tst:1
true
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-var_system_crypto_policy:var:1 | FIPS |
Configure BIND to use System Crypto Policyxccdf_org.ssgproject.content_rule_configure_bind_crypto_policy medium
Configure BIND to use System Crypto Policy
| Rule ID | xccdf_org.ssgproject.content_rule_configure_bind_crypto_policy |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-configure_bind_crypto_policy:def:1 |
| Time | 2021-11-16T20:08:35+00:00 |
| Severity | medium |
| Identifiers and References | References:
CIP-003-3 R4.2, CIP-007-3 R5.1, SC-13, SC-12(2), SC-12(3), SRG-OS-000423-GPOS-00187, SRG-OS-000426-GPOS-00190 |
| Description | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
BIND is supported by crypto policy, but the BIND configuration may be
set up to ignore it.
To check that Crypto Policies settings are configured correctly, ensure that the /etc/named.conf
includes the appropriate configuration:
In the options section of /etc/named.conf, make sure that the following line
is not commented out or superseded by later includes:
include "/etc/crypto-policies/back-ends/bind.config"; |
| Rationale | Overriding the system crypto policy makes the behavior of the BIND service violate expectations,
and makes system configuration more fragmented. |
OVAL test results detailspackage bind is removed
oval:ssg-test_package_bind_removed:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_bind_removed:obj:1 of type
rpminfo_object
Check that the configuration includes the policy config file.
oval:ssg-test_configure_bind_crypto_policy:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_configure_bind_crypto_policy:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/named.conf | ^\s*include\s+"/etc/crypto-policies/back-ends/bind.config"\s*;\s*$ | 1 |
Configure System Cryptography Policyxccdf_org.ssgproject.content_rule_configure_crypto_policy high
Configure System Cryptography Policy
| Rule ID | xccdf_org.ssgproject.content_rule_configure_crypto_policy |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-configure_crypto_policy:def:1 |
| Time | 2021-11-16T20:08:35+00:00 |
| Severity | high |
| Identifiers and References | References:
164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-3 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 |
| Description | To configure the system cryptography policy to use ciphers only from the FIPS
policy, run the following command:
$ sudo update-crypto-policies --set FIPS
The rule checks if settings for selected crypto policy are configured as expected. Configuration files in the /etc/crypto-policies/back-ends are either symlinks to correct files provided by Crypto-policies package or they are regular files in case crypto policy customizations are applied.
Crypto policies may be customized by crypto policy modules, in which case it is delimited from the base policy using a colon. |
| Rationale | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. |
| Warnings | warning
The system needs to be rebooted for these changes to take effect. warning
System Crypto Modules must be provided by a vendor that undergoes
FIPS-140 certifications.
FIPS-140 is applicable to all Federal agencies that use
cryptographic-based security systems to protect sensitive information
in computer and telecommunication systems (including voice systems) as
defined in Section 5131 of the Information Technology Management Reform
Act of 1996, Public Law 104-106. This standard shall be used in
designing and implementing cryptographic modules that Federal
departments and agencies operate or are operated for them under
contract. See https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf
To meet this, the system has to have cryptographic software provided by
a vendor that has undergone this certification. This means providing
documentation, test results, design information, and independent third
party review by an accredited lab. While open source software is
capable of meeting this, it does not meet FIPS-140 unless the vendor
submits to this process. |
OVAL test results detailscheck for crypto policy correctly configured in /etc/crypto-policies/config
oval:ssg-test_configure_crypto_policy:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/crypto-policies/config | FIPS |
check for crypto policy correctly configured in /etc/crypto-policies/state/current
oval:ssg-test_configure_crypto_policy_current:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/crypto-policies/state/current | FIPS |
Check if update-crypto-policies has been run
oval:ssg-test_crypto_policies_updated:tst:1
true
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-variable_crypto_policies_config_file_timestamp:var:1 | 1637091837 |
Check if /etc/crypto-policies/back-ends/nss.config exists
oval:ssg-test_crypto_policy_nss_config:tst:1
true
Following items have been found on the system:
| Path | Type | UID | GID | Size (B) | Permissions |
|---|
| /etc/crypto-policies/back-ends/nss.config | symbolic link | 0 | 0 | 39 | rwxrwxrwx |
Configure Kerberos to use System Crypto Policyxccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy medium
Configure Kerberos to use System Crypto Policy
| Rule ID | xccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-configure_kerberos_crypto_policy:def:1 |
| Time | 2021-11-16T20:08:35+00:00 |
| Severity | medium |
| Identifiers and References | References:
0418, 1055, 1402, CIP-003-3 R4.2, CIP-007-3 R5.1, SC-13, SC-12(2), SC-12(3), SRG-OS-000120-GPOS-00061 |
| Description | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
Kerberos is supported by crypto policy, but it's configuration may be
set up to ignore it.
To check that Crypto Policies settings for Kerberos are configured correctly, examine that there is a symlink at
/etc/krb5.conf.d/crypto-policies targeting /etc/cypto-policies/back-ends/krb5.config.
If the symlink exists, kerberos is configured to use the system-wide crypto policy settings. |
| Rationale | Overriding the system crypto policy makes the behavior of Kerberos violate expectations,
and makes system configuration more fragmented. |
OVAL test results detailsCheck if kerberos configuration symlink and crypto policy kerberos backend symlink point to same file
oval:ssg-test_configure_kerberos_crypto_policy_symlink:tst:1
true
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-var_symlink_kerberos_crypto_policy_configuration:var:1 | /usr/share/crypto-policies/FIPS/krb5.txt |
Check if kerberos configuration symlink links to the crypto-policy backend file
oval:ssg-test_configure_kerberos_crypto_policy_nosymlink:tst:1
false
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-var_symlink_kerberos_crypto_policy_configuration:var:1 | /usr/share/crypto-policies/FIPS/krb5.txt |
Configure Libreswan to use System Crypto Policyxccdf_org.ssgproject.content_rule_configure_libreswan_crypto_policy medium
Configure Libreswan to use System Crypto Policy
| Rule ID | xccdf_org.ssgproject.content_rule_configure_libreswan_crypto_policy |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-configure_libreswan_crypto_policy:def:1 |
| Time | 2021-11-16T20:08:35+00:00 |
| Severity | medium |
| Identifiers and References | References:
CIP-003-3 R4.2, CIP-007-3 R5.1, CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_IPSEC_EXT.1.4, FCS_IPSEC_EXT.1.6, SRG-OS-000033-GPOS-00014 |
| Description | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
Libreswan is supported by system crypto policy, but the Libreswan configuration may be
set up to ignore it.
To check that Crypto Policies settings are configured correctly, ensure that the /etc/ipsec.conf
includes the appropriate configuration file.
In /etc/ipsec.conf, make sure that the following line
is not commented out or superseded by later includes:
include /etc/crypto-policies/back-ends/libreswan.config |
| Rationale | Overriding the system crypto policy makes the behavior of the Libreswan
service violate expectations, and makes system configuration more
fragmented. |
OVAL test results detailspackage libreswan is installed
oval:ssg-test_package_libreswan_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_libreswan_installed:obj:1 of type
rpminfo_object
Check that the libreswan configuration includes the crypto policy config file
oval:ssg-test_configure_libreswan_crypto_policy:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/ipsec.conf | include /etc/crypto-policies/back-ends/libreswan.config
|
Configure OpenSSL library to use System Crypto Policyxccdf_org.ssgproject.content_rule_configure_openssl_crypto_policy medium
Configure OpenSSL library to use System Crypto Policy
| Rule ID | xccdf_org.ssgproject.content_rule_configure_openssl_crypto_policy |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-configure_openssl_crypto_policy:def:1 |
| Time | 2021-11-16T20:08:35+00:00 |
| Severity | medium |
| Identifiers and References | References:
CCI-001453, CIP-003-3 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), SRG-OS-000250-GPOS-00093 |
| Description | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
OpenSSL is supported by crypto policy, but the OpenSSL configuration may be
set up to ignore it.
To check that Crypto Policies settings are configured correctly, you have to examine the OpenSSL config file
available under /etc/pki/tls/openssl.cnf.
This file has the ini format, and it enables crypto policy support
if there is a [ crypto_policy ] section that contains the .include /etc/crypto-policies/back-ends/opensslcnf.config directive. |
| Rationale | Overriding the system crypto policy makes the behavior of the Java runtime violates expectations,
and makes system configuration more fragmented. |
OVAL test results detailsCheck that the configuration mandates usage of system-wide crypto policies.
oval:ssg-test_configure_openssl_crypto_policy:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/pki/tls/openssl.cnf |
[ crypto_policy ]
.include /etc/crypto-policies/back-ends/opensslcnf.config
|
Configure SSH to use System Crypto Policyxccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy medium
Configure SSH to use System Crypto Policy
| Rule ID | xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-configure_ssh_crypto_policy:def:1 |
| Time | 2021-11-16T20:08:35+00:00 |
| Severity | medium |
| Identifiers and References | References:
164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), CIP-003-3 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SRG-OS-000250-GPOS-00093 |
| Description | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
SSH is supported by crypto policy, but the SSH configuration may be
set up to ignore it.
To check that Crypto Policies settings are configured correctly, ensure that
the CRYPTO_POLICY variable is either commented or not set at all
in the /etc/sysconfig/sshd. |
| Rationale | Overriding the system crypto policy makes the behavior of the SSH service violate expectations,
and makes system configuration more fragmented. |
|
|
OVAL test results detailsCheck that the SSH configuration mandates usage of system-wide crypto policies.
oval:ssg-test_configure_ssh_crypto_policy:tst:1
error
No items have been found conforming to the following objects:
Object oval:ssg-object_configure_ssh_crypto_policy:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/sysconfig/sshd | ^\s*CRYPTO_POLICY\s*=.*$ | 1 |
The Installed Operating System Is Vendor Supportedxccdf_org.ssgproject.content_rule_installed_OS_is_vendor_supported high
The Installed Operating System Is Vendor Supported
| Rule ID | xccdf_org.ssgproject.content_rule_installed_OS_is_vendor_supported |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-installed_OS_is_vendor_supported:def:1 |
| Time | 2021-11-16T20:08:35+00:00 |
| Severity | high |
| Identifiers and References | References:
18, 20, 4, APO12.01, APO12.02, APO12.03, APO12.04, BAI03.10, DSS05.01, DSS05.02, CCI-000366, 4.2.3, 4.2.3.12, 4.2.3.7, 4.2.3.9, A.12.6.1, A.14.2.3, A.16.1.3, A.18.2.2, A.18.2.3, CM-6(a), MA-6, SA-13(a), ID.RA-1, PR.IP-12, SRG-OS-000480-GPOS-00227 |
| Description | The installed operating system must be maintained by a vendor.
Red Hat Enterprise Linux is supported by Red Hat, Inc. As the Red Hat Enterprise
Linux vendor, Red Hat, Inc. is responsible for providing security patches. |
| Rationale | An operating system is considered "supported" if the vendor continues to
provide security patches for the product. With an unsupported release, it
will not be possible to resolve any security issue discovered in the system
software. |
| Warnings | warning
There is no remediation besides switching to a different operating system. |
OVAL test results detailsinstalled OS part of unix family
oval:ssg-test_rhel7_unix_family:tst:1
true
Following items have been found on the system:
installed OS part of unix family
oval:ssg-test_rhel7_unix_family:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_unix_family:obj:1 of type
family_object
redhat-release-client is version 7
oval:ssg-test_rhel7_client:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_client:obj:1 of type
rpminfo_object
| Name |
|---|
| redhat-release-client |
redhat-release-client is version 7
oval:ssg-test_rhel7_client:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_client:obj:1 of type
rpminfo_object
| Name |
|---|
| redhat-release-client |
redhat-release-workstation is version 7
oval:ssg-test_rhel7_workstation:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_workstation:obj:1 of type
rpminfo_object
| Name |
|---|
| redhat-release-workstation |
redhat-release-workstation is version 7
oval:ssg-test_rhel7_workstation:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_workstation:obj:1 of type
rpminfo_object
| Name |
|---|
| redhat-release-workstation |
redhat-release-server is version 7
oval:ssg-test_rhel7_server:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_server:obj:1 of type
rpminfo_object
| Name |
|---|
| redhat-release-server |
redhat-release-server is version 7
oval:ssg-test_rhel7_server:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_server:obj:1 of type
rpminfo_object
| Name |
|---|
| redhat-release-server |
redhat-release-computenode is version 7
oval:ssg-test_rhel7_computenode:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_computenode:obj:1 of type
rpminfo_object
| Name |
|---|
| redhat-release-computenode |
redhat-release-computenode is version 7
oval:ssg-test_rhel7_computenode:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_computenode:obj:1 of type
rpminfo_object
| Name |
|---|
| redhat-release-computenode |
redhat-release-virtualization-host RPM package is installed
oval:ssg-test_rhvh4_version:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type
rpminfo_object
| Name |
|---|
| redhat-release-virtualization-host |
redhat-release-virtualization-host RPM package is installed
oval:ssg-test_rhvh4_version:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type
rpminfo_object
| Name |
|---|
| redhat-release-virtualization-host |
RHEVH base RHEL is version 7
oval:ssg-test_rhevh_rhel7_version:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel7_version:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/redhat-release | ^Red Hat Enterprise Linux release (\d)\.\d+$ | 1 |
RHEVH base RHEL is version 7
oval:ssg-test_rhevh_rhel7_version:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel7_version:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/redhat-release | ^Red Hat Enterprise Linux release (\d)\.\d+$ | 1 |
installed OS part of unix family
oval:ssg-test_rhel7_unix_family:tst:1
true
Following items have been found on the system:
installed OS part of unix family
oval:ssg-test_rhel7_unix_family:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_unix_family:obj:1 of type
family_object
redhat-release-client is version 7
oval:ssg-test_rhel7_client:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_client:obj:1 of type
rpminfo_object
| Name |
|---|
| redhat-release-client |
redhat-release-client is version 7
oval:ssg-test_rhel7_client:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_client:obj:1 of type
rpminfo_object
| Name |
|---|
| redhat-release-client |
redhat-release-workstation is version 7
oval:ssg-test_rhel7_workstation:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_workstation:obj:1 of type
rpminfo_object
| Name |
|---|
| redhat-release-workstation |
redhat-release-workstation is version 7
oval:ssg-test_rhel7_workstation:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_workstation:obj:1 of type
rpminfo_object
| Name |
|---|
| redhat-release-workstation |
redhat-release-server is version 7
oval:ssg-test_rhel7_server:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_server:obj:1 of type
rpminfo_object
| Name |
|---|
| redhat-release-server |
redhat-release-server is version 7
oval:ssg-test_rhel7_server:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_server:obj:1 of type
rpminfo_object
| Name |
|---|
| redhat-release-server |
redhat-release-computenode is version 7
oval:ssg-test_rhel7_computenode:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_computenode:obj:1 of type
rpminfo_object
| Name |
|---|
| redhat-release-computenode |
redhat-release-computenode is version 7
oval:ssg-test_rhel7_computenode:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_computenode:obj:1 of type
rpminfo_object
| Name |
|---|
| redhat-release-computenode |
redhat-release-virtualization-host RPM package is installed
oval:ssg-test_rhvh4_version:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type
rpminfo_object
| Name |
|---|
| redhat-release-virtualization-host |
redhat-release-virtualization-host RPM package is installed
oval:ssg-test_rhvh4_version:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type
rpminfo_object
| Name |
|---|
| redhat-release-virtualization-host |
RHEVH base RHEL is version 7
oval:ssg-test_rhevh_rhel7_version:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel7_version:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/redhat-release | ^Red Hat Enterprise Linux release (\d)\.\d+$ | 1 |
RHEVH base RHEL is version 7
oval:ssg-test_rhevh_rhel7_version:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel7_version:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/redhat-release | ^Red Hat Enterprise Linux release (\d)\.\d+$ | 1 |
installed OS part of unix family
oval:ssg-test_rhel8_unix_family:tst:1
true
Following items have been found on the system:
installed OS part of unix family
oval:ssg-test_rhel8_unix_family:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel8_unix_family:obj:1 of type
family_object
redhat-release is version 8
oval:ssg-test_rhel8:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel8:obj:1 of type
rpminfo_object
redhat-release is version 8
oval:ssg-test_rhel8:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel8:obj:1 of type
rpminfo_object
redhat-release-virtualization-host RPM package is installed
oval:ssg-test_rhvh4_version:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type
rpminfo_object
| Name |
|---|
| redhat-release-virtualization-host |
redhat-release-virtualization-host RPM package is installed
oval:ssg-test_rhvh4_version:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type
rpminfo_object
| Name |
|---|
| redhat-release-virtualization-host |
RHEVH base RHEL is version 8
oval:ssg-test_rhevh_rhel8_version:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel8_version:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/redhat-release | ^Red Hat Enterprise Linux release (\d)\.\d+$ | 1 |
RHEVH base RHEL is version 8
oval:ssg-test_rhevh_rhel8_version:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel8_version:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/redhat-release | ^Red Hat Enterprise Linux release (\d)\.\d+$ | 1 |
installed OS part of unix family
oval:ssg-test_rhel8_unix_family:tst:1
true
Following items have been found on the system:
installed OS part of unix family
oval:ssg-test_rhel8_unix_family:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel8_unix_family:obj:1 of type
family_object
redhat-release is version 8
oval:ssg-test_rhel8:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel8:obj:1 of type
rpminfo_object
redhat-release is version 8
oval:ssg-test_rhel8:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel8:obj:1 of type
rpminfo_object
redhat-release-virtualization-host RPM package is installed
oval:ssg-test_rhvh4_version:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type
rpminfo_object
| Name |
|---|
| redhat-release-virtualization-host |
redhat-release-virtualization-host RPM package is installed
oval:ssg-test_rhvh4_version:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type
rpminfo_object
| Name |
|---|
| redhat-release-virtualization-host |
RHEVH base RHEL is version 8
oval:ssg-test_rhevh_rhel8_version:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel8_version:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/redhat-release | ^Red Hat Enterprise Linux release (\d)\.\d+$ | 1 |
RHEVH base RHEL is version 8
oval:ssg-test_rhevh_rhel8_version:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel8_version:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/redhat-release | ^Red Hat Enterprise Linux release (\d)\.\d+$ | 1 |
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
oraclelinux-release is version 7
oval:ssg-test_ol7_system:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_ol7_system:obj:1 of type
rpminfo_object
oraclelinux-release is version 7
oval:ssg-test_ol7_system:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_ol7_system:obj:1 of type
rpminfo_object
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
oraclelinux-release is version 7
oval:ssg-test_ol7_system:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_ol7_system:obj:1 of type
rpminfo_object
oraclelinux-release is version 7
oval:ssg-test_ol7_system:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_ol7_system:obj:1 of type
rpminfo_object
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
oraclelinux-release is version 8
oval:ssg-test_ol8_system:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_ol8_system:obj:1 of type
rpminfo_object
oraclelinux-release is version 8
oval:ssg-test_ol8_system:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_ol8_system:obj:1 of type
rpminfo_object
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
oraclelinux-release is version 8
oval:ssg-test_ol8_system:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_ol8_system:obj:1 of type
rpminfo_object
oraclelinux-release is version 8
oval:ssg-test_ol8_system:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_ol8_system:obj:1 of type
rpminfo_object
installed OS part of unix family
oval:ssg-test_sle12_unix_family:tst:1
true
Following items have been found on the system:
installed OS part of unix family
oval:ssg-test_sle12_unix_family:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_sle12_unix_family:obj:1 of type
family_object
sled-release is version 6
oval:ssg-test_sle12_desktop:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_sle12_desktop:obj:1 of type
rpminfo_object
sled-release is version 6
oval:ssg-test_sle12_desktop:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_sle12_desktop:obj:1 of type
rpminfo_object
sles-release is version 6
oval:ssg-test_sle12_server:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_sle12_server:obj:1 of type
rpminfo_object
sles-release is version 6
oval:ssg-test_sle12_server:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_sle12_server:obj:1 of type
rpminfo_object
SLES_SAP-release is version 12
oval:ssg-test_sles_12_for_sap:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_sles_12_for_sap:obj:1 of type
rpminfo_object
SLES_SAP-release is version 12
oval:ssg-test_sles_12_for_sap:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_sles_12_for_sap:obj:1 of type
rpminfo_object
installed OS part of unix family
oval:ssg-test_sle12_unix_family:tst:1
true
Following items have been found on the system:
installed OS part of unix family
oval:ssg-test_sle12_unix_family:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_sle12_unix_family:obj:1 of type
family_object
sled-release is version 6
oval:ssg-test_sle12_desktop:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_sle12_desktop:obj:1 of type
rpminfo_object
sled-release is version 6
oval:ssg-test_sle12_desktop:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_sle12_desktop:obj:1 of type
rpminfo_object
sles-release is version 6
oval:ssg-test_sle12_server:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_sle12_server:obj:1 of type
rpminfo_object
sles-release is version 6
oval:ssg-test_sle12_server:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_sle12_server:obj:1 of type
rpminfo_object
SLES_SAP-release is version 12
oval:ssg-test_sles_12_for_sap:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_sles_12_for_sap:obj:1 of type
rpminfo_object
SLES_SAP-release is version 12
oval:ssg-test_sles_12_for_sap:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_sles_12_for_sap:obj:1 of type
rpminfo_object
installed OS part of unix family
oval:ssg-test_sle15_unix_family:tst:1
true
Following items have been found on the system:
installed OS part of unix family
oval:ssg-test_sle15_unix_family:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_sle15_unix_family:obj:1 of type
family_object
sled-release is version 15
oval:ssg-test_sle15_desktop:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_sle15_desktop:obj:1 of type
rpminfo_object
sled-release is version 15
oval:ssg-test_sle15_desktop:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_sle15_desktop:obj:1 of type
rpminfo_object
sles-release is version 15
oval:ssg-test_sle15_server:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_sle15_server:obj:1 of type
rpminfo_object
sles-release is version 15
oval:ssg-test_sle15_server:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_sle15_server:obj:1 of type
rpminfo_object
SLES_SAP-release is version 15
oval:ssg-test_sles_15_for_sap:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_sles_15_for_sap:obj:1 of type
rpminfo_object
SLES_SAP-release is version 15
oval:ssg-test_sles_15_for_sap:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_sles_15_for_sap:obj:1 of type
rpminfo_object
installed OS part of unix family
oval:ssg-test_sle15_unix_family:tst:1
true
Following items have been found on the system:
installed OS part of unix family
oval:ssg-test_sle15_unix_family:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_sle15_unix_family:obj:1 of type
family_object
sled-release is version 15
oval:ssg-test_sle15_desktop:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_sle15_desktop:obj:1 of type
rpminfo_object
sled-release is version 15
oval:ssg-test_sle15_desktop:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_sle15_desktop:obj:1 of type
rpminfo_object
sles-release is version 15
oval:ssg-test_sle15_server:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_sle15_server:obj:1 of type
rpminfo_object
sles-release is version 15
oval:ssg-test_sle15_server:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_sle15_server:obj:1 of type
rpminfo_object
SLES_SAP-release is version 15
oval:ssg-test_sles_15_for_sap:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_sles_15_for_sap:obj:1 of type
rpminfo_object
SLES_SAP-release is version 15
oval:ssg-test_sles_15_for_sap:tst:1
not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_sles_15_for_sap:obj:1 of type
rpminfo_object
Set the GNOME3 Login Number of Failuresxccdf_org.ssgproject.content_rule_dconf_gnome_login_retries medium
Set the GNOME3 Login Number of Failures
| Rule ID | xccdf_org.ssgproject.content_rule_dconf_gnome_login_retries |
| Result | |
| Multi-check rule | no |
| Time | 2021-11-16T20:08:35+00:00 |
| Severity | medium |
| Identifiers and References | References:
3.1.8, FMT_MOF_EXT.1 |
| Description | In the default graphical environment, the GNOME3 login
screen and be configured to restart the authentication process after
a configured number of attempts. This can be configured by setting
allowed-failures to 3 or less.
To enable, add or edit allowed-failures to
/etc/dconf/db/distro.d/00-security-settings. For example:
[org/gnome/login-screen]
allowed-failures=3
Once the setting has been added, add a lock to
/etc/dconf/db/distro.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/login-screen/allowed-failures
After the settings have been set, run dconf update. |
| Rationale | Setting the password retry prompts that are permitted on a per-session basis to a low value
requires some software, such as SSH, to re-connect. This can slow down and
draw additional attention to some types of password-guessing attacks. |
Disable GDM Automatic Loginxccdf_org.ssgproject.content_rule_gnome_gdm_disable_automatic_login high
Disable GDM Automatic Login
| Rule ID | xccdf_org.ssgproject.content_rule_gnome_gdm_disable_automatic_login |
| Result | |
| Multi-check rule | no |
| Time | 2021-11-16T20:08:35+00:00 |
| Severity | high |
| Identifiers and References | References:
11, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, 3.1.1, CCI-000366, 4.3.4.3.2, 4.3.4.3.3, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(a), AC-6(1), CM-7(b), PR.IP-1, FIA_UAU.1, SRG-OS-000480-GPOS-00229 |
| Description | The GNOME Display Manager (GDM) can allow users to automatically login without
user interaction or credentials. User should always be required to authenticate themselves
to the system that they are authorized to use. To disable user ability to automatically
login to the system, set the AutomaticLoginEnable to false in the
[daemon] section in /etc/gdm/custom.conf. For example:
[daemon]
AutomaticLoginEnable=false |
| Rationale | Failure to restrict system access to authenticated users negatively impacts operating
system security. |
Disable GDM Guest Loginxccdf_org.ssgproject.content_rule_gnome_gdm_disable_guest_login high
Disable GDM Guest Login
| Rule ID | xccdf_org.ssgproject.content_rule_gnome_gdm_disable_guest_login |
| Result | |
| Multi-check rule | no |
| Time | 2021-11-16T20:08:35+00:00 |
| Severity | high |
| Identifiers and References | References:
11, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, 3.1.1, CCI-000366, 4.3.4.3.2, 4.3.4.3.3, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, CM-7(a), CM-7(b), CM-6(a), IA-2, PR.IP-1, FIA_UAU.1, SRG-OS-000480-GPOS-00229 |
| Description | The GNOME Display Manager (GDM) can allow users to login without credentials
which can be useful for public kiosk scenarios. Allowing users to login without credentials
or "guest" account access has inherent security risks and should be disabled. To do disable
timed logins or guest account access, set the TimedLoginEnable to false in
the [daemon] section in /etc/gdm/custom.conf. For example:
[daemon]
TimedLoginEnable=false |
| Rationale | Failure to restrict system access to authenticated users negatively impacts operating
system security. |
Enable GNOME3 Screensaver Idle Activationxccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_activation_enabled medium
Enable GNOME3 Screensaver Idle Activation
| Rule ID | xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_activation_enabled |
| Result | |
| Multi-check rule | no |
| Time | 2021-11-16T20:08:35+00:00 |
| Severity | medium |
| Identifiers and References | References:
1, 12, 15, 16, 5.5.5, DSS05.04, DSS05.10, DSS06.10, 3.1.10, CCI-000057, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, CM-6(a), AC-11(a), PR.AC-7, FMT_MOF_EXT.1, Req-8.1.8, SRG-OS-000029-GPOS-00010 |
| Description | To activate the screensaver in the GNOME3 desktop after a period of inactivity,
add or set idle-activation-enabled to true in
/etc/dconf/db/local.d/00-security-settings. For example:
[org/gnome/desktop/screensaver]
idle-activation-enabled=true
Once the setting has been added, add a lock to
/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/desktop/screensaver/idle-activation-enabled
After the settings have been set, run dconf update. |
| Rationale | A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate
physical vicinity of the information system but does not logout because of the temporary nature of the absence.
Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity,
GNOME desktops can be configured to identify when a user's session has idled and take action to initiate the
session lock.
Enabling idle activation of the screensaver ensures the screensaver will
be activated after the idle delay. Applications requiring continuous,
real-time screen display (such as network management products) require the
login session does not have administrator rights and the display station is located in a
controlled-access area. |
Set GNOME3 Screensaver Inactivity Timeoutxccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_delay medium
Set GNOME3 Screensaver Inactivity Timeout
| Rule ID | xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_delay |
| Result | |
| Multi-check rule | no |
| Time | 2021-11-16T20:08:35+00:00 |
| Severity | medium |
| Identifiers and References | References:
1, 12, 15, 16, 5.5.5, DSS05.04, DSS05.10, DSS06.10, 3.1.10, CCI-000057, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, AC-11(a), CM-6(a), PR.AC-7, FMT_MOF_EXT.1, Req-8.1.8, SRG-OS-000029-GPOS-00010 |
| Description | The idle time-out value for inactivity in the GNOME3 desktop is configured via the idle-delay
setting must be set under an appropriate configuration file(s) in the /etc/dconf/db/local.d directory
and locked in /etc/dconf/db/local.d/locks directory to prevent user modification.
For example, to configure the system for a 15 minute delay, add the following to
/etc/dconf/db/local.d/00-security-settings:
[org/gnome/desktop/session]
idle-delay=uint32 900
Once the setting has been added, add a lock to
/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/desktop/session/idle-delay
After the settings have been set, run dconf update. |
| Rationale | A session time-out lock is a temporary action taken when a user stops work and moves away from
the immediate physical vicinity of the information system but does not logout because of the
temporary nature of the absence. Rather than relying on the user to manually lock their operating
system session prior to vacating the vicinity, GNOME3 can be configured to identify when
a user's session has idled and take action to initiate a session lock. |
Set GNOME3 Screensaver Lock Delay After Activation Periodxccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_delay medium
Set GNOME3 Screensaver Lock Delay After Activation Period
| Rule ID | xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_delay |
| Result | |
| Multi-check rule | no |
| Time | 2021-11-16T20:08:35+00:00 |
| Severity | medium |
| Identifiers and References | References:
1, 12, 15, 16, DSS05.04, DSS05.10, DSS06.10, 3.1.10, CCI-000056, CCI-000057, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, AC-11(a), CM-6(a), PR.AC-7, FMT_MOF_EXT.1, Req-8.1.8, SRG-OS-000029-GPOS-00010 |
| Description | To activate the locking delay of the screensaver in the GNOME3 desktop when
the screensaver is activated, add or set lock-delay to uint32 0 in
/etc/dconf/db/local.d/00-security-settings. For example:
[org/gnome/desktop/screensaver]
lock-delay=uint32 0
Once the setting has been added, add a lock to
/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/desktop/screensaver/lock-delay
After the settings have been set, run dconf update. |
| Rationale | A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity
of the information system but does not want to logout because of the temporary nature of the absense. |
Enable GNOME3 Screensaver Lock After Idle Periodxccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_enabled medium
Enable GNOME3 Screensaver Lock After Idle Period
| Rule ID | xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_enabled |
| Result | |
| Multi-check rule | no |
| Time | 2021-11-16T20:08:35+00:00 |
| Severity | medium |
| Identifiers and References | References:
1, 12, 15, 16, 5.5.5, DSS05.04, DSS05.10, DSS06.10, 3.1.10, CCI-000056, CCI-000058, CCI-000060, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, CM-6(a), PR.AC-7, FMT_MOF_EXT.1, Req-8.1.8, SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011 |
| Description |
To activate locking of the screensaver in the GNOME3 desktop when it is activated,
add or set lock-enabled to true in
/etc/dconf/db/local.d/00-security-settings. For example:
[org/gnome/desktop/screensaver]
lock-enabled=true
Once the settings have been added, add a lock to
/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/desktop/screensaver/lock-enabled
After the settings have been set, run dconf update. |
| Rationale | A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity
of the information system but does not want to logout because of the temporary nature of the absense. |
Implement Blank Screensaverxccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_mode_blank medium
Implement Blank Screensaver
| Rule ID | xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_mode_blank |
| Result | |
| Multi-check rule | no |
| Time | 2021-11-16T20:08:35+00:00 |
| Severity | medium |
| Identifiers and References | References:
1, 12, 15, 16, 5.5.5, DSS05.04, DSS05.10, DSS06.10, 3.1.10, CCI-000060, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, AC-11(1), CM-6(a), AC-11(1).1, PR.AC-7, FMT_MOF_EXT.1, Req-8.1.8, SRG-OS-000031-GPOS-00012 |
| Description |
To set the screensaver mode in the GNOME3 desktop to a blank screen,
add or set picture-uri to string '' in
/etc/dconf/db/local.d/00-security-settings. For example:
[org/gnome/desktop/screensaver]
picture-uri=''
Once the settings have been added, add a lock to
/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/desktop/screensaver/picture-uri
After the settings have been set, run dconf update. |
| Rationale | Setting the screensaver mode to blank-only conceals the
contents of the display from passersby. |
Disable Full User Name on Splash Shieldxccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_user_info medium
Disable Full User Name on Splash Shield
| Rule ID | xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_user_info |
| Result | |
| Multi-check rule | no |
| Time | 2021-11-16T20:08:35+00:00 |
| Severity | medium |
| Identifiers and References | References:
FMT_MOF_EXT.1 |
| Description | By default when the screen is locked, the splash shield will show the user's
full name. This should be disabled to prevent casual observers from seeing
who has access to the system. This can be disabled by adding or setting
show-full-name-in-top-bar to false in
/etc/dconf/db/local.d/00-security-settings. For example:
[org/gnome/desktop/screensaver]
show-full-name-in-top-bar=false
Once the settings have been added, add a lock to
/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/desktop/screensaver/show-full-name-in-top-bar
After the settings have been set, run dconf update. |
| Rationale | Setting the splash screen to not reveal the logged in user's name
conceals who has access to the system from passersby. |
Ensure Users Cannot Change GNOME3 Screensaver Settingsxccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_user_locks medium
Ensure Users Cannot Change GNOME3 Screensaver Settings
| Rule ID | xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_user_locks |
| Result | |
| Multi-check rule | no |
| Time | 2021-11-16T20:08:35+00:00 |
| Severity | medium |
| Identifiers and References | References:
1, 12, 15, 16, DSS05.04, DSS05.10, DSS06.10, 3.1.10, CCI-000057, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, CM-6(a), PR.AC-7, FMT_MOF_EXT.1, SRG-OS-000029-GPOS-00010 |
| Description | If not already configured, ensure that users cannot change GNOME3 screensaver lock settings
by adding /org/gnome/desktop/screensaver/lock-delay
to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/desktop/screensaver/lock-delay
After the settings have been set, run dconf update. |
| Rationale | A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate
physical vicinity of the information system but does not logout because of the temporary nature of the absence.
Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity,
GNOME desktops can be configured to identify when a user's session has idled and take action to initiate the
session lock. As such, users should not be allowed to change session settings. |
Ensure Users Cannot Change GNOME3 Session Idle Settingsxccdf_org.ssgproject.content_rule_dconf_gnome_session_idle_user_locks medium
Ensure Users Cannot Change GNOME3 Session Idle Settings
| Rule ID | xccdf_org.ssgproject.content_rule_dconf_gnome_session_idle_user_locks |
| Result | |
| Multi-check rule | no |
| Time | 2021-11-16T20:08:35+00:00 |
| Severity | medium |
| Identifiers and References | References:
1, 12, 15, 16, DSS05.04, DSS05.10, DSS06.10, 3.1.10, CCI-000057, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, CM-6(a), PR.AC-7, FMT_MOF_EXT.1, SRG-OS-000029-GPOS-00010 |
| Description | If not already configured, ensure that users cannot change GNOME3 session idle settings
by adding /org/gnome/desktop/session/idle-delay
to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/desktop/session/idle-delay
After the settings have been set, run dconf update. |
| Rationale | A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate
physical vicinity of the information system but does not logout because of the temporary nature of the absence.
Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity,
GNOME desktops can be configured to identify when a user's session has idled and take action to initiate the
session lock. As such, users should not be allowed to change session settings. |
Make sure that the dconf databases are up-to-date with regards to respective keyfilesxccdf_org.ssgproject.content_rule_dconf_db_up_to_date high
Make sure that the dconf databases are up-to-date with regards to respective keyfiles
| Rule ID | xccdf_org.ssgproject.content_rule_dconf_db_up_to_date |
| Result | |
| Multi-check rule | no |
| Time | 2021-11-16T20:08:35+00:00 |
| Severity | high |
| Identifiers and References | References:
164.308(a)(1)(ii)(B), 164.308(a)(5)(ii)(A), SRG-OS-000480-GPOS-00227 |
| Description | By default, DConf uses a binary database as a data backend.
The system-level database is compiled from keyfiles in the /etc/dconf/db/ directory by the dconf update command. |
| Rationale | Unlike text-based keyfiles, the binary database is impossible to check by OVAL.
Therefore, in order to evaluate dconf configuration, both have to be true at the same time -
configuration files have to be compliant, and the database needs to be more recent than those keyfiles,
which gives confidence that it reflects them. |
Install dnf-automatic Packagexccdf_org.ssgproject.content_rule_package_dnf-automatic_installed medium
Install dnf-automatic Package
| Rule ID | xccdf_org.ssgproject.content_rule_package_dnf-automatic_installed |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-package_dnf-automatic_installed:def:1 |
| Time | 2021-11-16T20:08:35+00:00 |
| Severity | medium |
| Identifiers and References | References:
BP28(R8), SRG-OS-000191-GPOS-00080 |
| Description | The dnf-automatic package can be installed with the following command:
$ sudo dnf install dnf-automatic |
| Rationale | dnf-automatic is an alternative command line interface (CLI)
to dnf upgrade suitable for automatic, regular execution.
|
OVAL test results detailspackage dnf-automatic is installed
oval:ssg-test_package_dnf-automatic_installed:tst:1
true
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| dnf-automatic | noarch | (none) | 1.fc35 | 4.9.0 | 0:4.9.0-1.fc35 | db4639719867c58f | dnf-automatic-0:4.9.0-1.fc35.noarch |
Configure dnf-automatic to Install Available Updates Automaticallyxccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates medium
Configure dnf-automatic to Install Available Updates Automatically
| Rule ID | xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-dnf-automatic_apply_updates:def:1 |
| Time | 2021-11-16T20:08:35+00:00 |
| Severity | medium |
| Identifiers and References | References:
BP28(R8), 0940, 1144, 1467, 1472, 1483, 1493, 1494, 1495, SI-2(5), CM-6(a), SI-2(c), FMT_SMF_EXT.1, SRG-OS-000191-GPOS-00080 |
| Description | To ensure that the packages comprising the available updates will be automatically installed by dnf-automatic, set apply_updates to yes under [commands] section in /etc/dnf/automatic.conf. |
| Rationale | Installing software updates is a fundamental mitigation against
the exploitation of publicly-known vulnerabilities. If the most
recent security patches and updates are not installed, unauthorized
users may take advantage of weaknesses in the unpatched software. The
lack of prompt attention to patching could result in a system compromise.
The automated installation of updates ensures that recent security patches
are applied in a timely manner. |
OVAL test results detailstests the value of apply_updates setting in the /etc/dnf/automatic.conf file
oval:ssg-test_dnf-automatic_apply_updates:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/dnf/automatic.conf | [commands]
# What kind of upgrade to perform:
# default = all available upgrades
# security = only the security upgrades
upgrade_type = security
random_sleep = 0
# Maximum time in seconds to wait until the system is on-line and able to
# connect to remote repositories.
network_online_timeout = 60
# To just receive updates use dnf-automatic-notifyonly.timer
# Whether updates should be downloaded when they are available, by
# dnf-automatic.timer. notifyonly.timer, download.timer and
# install.timer override this setting.
download_updates = yes
# Whether updates should be applied when they are available, by
# dnf-automatic.timer. notifyonly.timer, download.timer and
# install.timer override this setting.
apply_updates = yes |
The configuration file /etc/dnf/automatic.conf exists for dnf-automatic_apply_updates
oval:ssg-test_dnf-automatic_apply_updates_config_file_exists:tst:1
true
Following items have been found on the system:
| Path | Type | UID | GID | Size (B) | Permissions |
|---|
| /etc/dnf/automatic.conf | regular | 0 | 0 | 2719 | rw-r--r-- |
Configure dnf-automatic to Install Only Security Updatesxccdf_org.ssgproject.content_rule_dnf-automatic_security_updates_only low
Configure dnf-automatic to Install Only Security Updates
| Rule ID | xccdf_org.ssgproject.content_rule_dnf-automatic_security_updates_only |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-dnf-automatic_security_updates_only:def:1 |
| Time | 2021-11-16T20:08:35+00:00 |
| Severity | low |
| Identifiers and References | References:
BP28(R8), SI-2(5), CM-6(a), SI-2(c), FMT_SMF_EXT.1, SRG-OS-000191-GPOS-00080 |
| Description | To configure dnf-automatic to install only security updates
automatically, set upgrade_type to security under
[commands] section in /etc/dnf/automatic.conf. |
| Rationale | By default, dnf-automatic installs all available updates.
Reducing the amount of updated packages only to updates that were
issued as a part of a security advisory increases the system stability. |
OVAL test results detailstests the value of upgrade_type setting in the /etc/dnf/automatic.conf file
oval:ssg-test_dnf-automatic_security_updates_only:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/dnf/automatic.conf | [commands]
# What kind of upgrade to perform:
# default = all available upgrades
# security = only the security upgrades
upgrade_type = security |
The configuration file /etc/dnf/automatic.conf exists for dnf-automatic_security_updates_only
oval:ssg-test_dnf-automatic_security_updates_only_config_file_exists:tst:1
true
Following items have been found on the system:
| Path | Type | UID | GID | Size (B) | Permissions |
|---|
| /etc/dnf/automatic.conf | regular | 0 | 0 | 2719 | rw-r--r-- |
Ensure Fedora GPG Key Installedxccdf_org.ssgproject.content_rule_ensure_fedora_gpgkey_installed high
Ensure Fedora GPG Key Installed
| Rule ID | xccdf_org.ssgproject.content_rule_ensure_fedora_gpgkey_installed |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-ensure_fedora_gpgkey_installed:def:1 |
| Time | 2021-11-16T20:08:35+00:00 |
| Severity | high |
| Identifiers and References | References:
11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), PR.DS-6, PR.DS-8, PR.IP-1, Req-6.2 |
| Description | To ensure the system can cryptographically verify base software
packages come from Fedora (and to connect to the Fedora Network to
receive them), the Fedora GPG key must properly be installed.
To install the Fedora GPG key, run one of the commands below, depending on your Fedora vesion:
$ sudo rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-34-primary "
$ sudo rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-33-primary " |
| Rationale | Changes to software components can have significant effects on the
overall security of the operating system. This requirement ensures
the software has not been tampered with and that it has been provided
by a trusted vendor. The Fedora GPG key is necessary to
cryptographically verify packages are from Fedora." |
OVAL test results detailsTest installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
fedora-release RPM packages are installed
oval:ssg-test_fedora_release_rpm:tst:1
true
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| fedora-release-identity-cloud | noarch | (none) | 33 | 35 | 0:35-33 | db4639719867c58f | fedora-release-identity-cloud-0:35-33.noarch |
| fedora-release-common | noarch | (none) | 33 | 35 | 0:35-33 | db4639719867c58f | fedora-release-common-0:35-33.noarch |
| fedora-release-cloud | noarch | (none) | 33 | 35 | 0:35-33 | db4639719867c58f | fedora-release-cloud-0:35-33.noarch |
fedora-release RPM packages are installed
oval:ssg-test_fedora_release_rpm:tst:1
true
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| fedora-release-identity-cloud | noarch | (none) | 33 | 35 | 0:35-33 | db4639719867c58f | fedora-release-identity-cloud-0:35-33.noarch |
| fedora-release-common | noarch | (none) | 33 | 35 | 0:35-33 | db4639719867c58f | fedora-release-common-0:35-33.noarch |
| fedora-release-cloud | noarch | (none) | 33 | 35 | 0:35-33 | db4639719867c58f | fedora-release-cloud-0:35-33.noarch |
CPE vendor is 'fedoraproject' and 'product' is fedora
oval:ssg-test_fedora_vendor_product:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/system-release-cpe | cpe:/o:fedoraproject:fedora:35 |
CPE vendor is 'fedoraproject' and 'product' is fedora
oval:ssg-test_fedora_vendor_product:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/system-release-cpe | cpe:/o:fedoraproject:fedora:35 |
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
Test installed OS is part of the unix family
oval:ssg-test_unix_family:tst:1
true
Following items have been found on the system:
fedora-release RPM packages are installed
oval:ssg-test_fedora_release_rpm:tst:1
true
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| fedora-release-identity-cloud | noarch | (none) | 33 | 35 | 0:35-33 | db4639719867c58f | fedora-release-identity-cloud-0:35-33.noarch |
| fedora-release-common | noarch | (none) | 33 | 35 | 0:35-33 | db4639719867c58f | fedora-release-common-0:35-33.noarch |
| fedora-release-cloud | noarch | (none) | 33 | 35 | 0:35-33 | db4639719867c58f | fedora-release-cloud-0:35-33.noarch |
fedora-release RPM packages are installed
oval:ssg-test_fedora_release_rpm:tst:1
true
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| fedora-release-identity-cloud | noarch | (none) | 33 | 35 | 0:35-33 | db4639719867c58f | fedora-release-identity-cloud-0:35-33.noarch |
| fedora-release-common | noarch | (none) | 33 | 35 | 0:35-33 | db4639719867c58f | fedora-release-common-0:35-33.noarch |
| fedora-release-cloud | noarch | (none) | 33 | 35 | 0:35-33 | db4639719867c58f | fedora-release-cloud-0:35-33.noarch |
CPE vendor is 'fedoraproject' and 'product' is fedora
oval:ssg-test_fedora_vendor_product:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/system-release-cpe | cpe:/o:fedoraproject:fedora:35 |
CPE vendor is 'fedoraproject' and 'product' is fedora
oval:ssg-test_fedora_vendor_product:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/system-release-cpe | cpe:/o:fedoraproject:fedora:35 |
Fedora 9867c58f release key package is installed
oval:ssg-test_package_gpgkey-9867c58f-601c49ca_installed:tst:1
true
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| gpg-pubkey | (none) | (none) | 601c49ca | 9867c58f | 0:9867c58f-601c49ca | 0 | gpg-pubkey-0:9867c58f-601c49ca.(none) |
Fedora 45719a39 release key package is installed
oval:ssg-test_package_gpgkey-45719a39-5f2c0192_installed:tst:1
false
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| gpg-pubkey | (none) | (none) | 601c49ca | 9867c58f | 0:9867c58f-601c49ca | 0 | gpg-pubkey-0:9867c58f-601c49ca.(none) |
Fedora 9570ff31 release key package is installed
oval:ssg-test_package_gpgkey-9570ff31-5e3006fb_installed:tst:1
false
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| gpg-pubkey | (none) | (none) | 601c49ca | 9867c58f | 0:9867c58f-601c49ca | 0 | gpg-pubkey-0:9867c58f-601c49ca.(none) |
Ensure gpgcheck Enabled In Main dnf Configurationxccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated high
Ensure gpgcheck Enabled In Main dnf Configuration
| Rule ID | xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-ensure_gpgcheck_globally_activated:def:1 |
| Time | 2021-11-16T20:08:35+00:00 |
| Severity | high |
| Identifiers and References | References:
BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650 |
| Description | The gpgcheck option controls whether
RPM packages' signatures are always checked prior to installation.
To configure dnf to check package signatures before installing
them, ensure the following line appears in /etc/dnf/dnf.conf in
the [main] section:
gpgcheck=1 |
| Rationale | Changes to any software components can have significant effects on the
overall security of the operating system. This requirement ensures the
software has not been tampered with and that it has been provided by a
trusted vendor.
Accordingly, patches, service packs, device drivers, or operating system
components must be signed with a certificate recognized and approved by the
organization.
Verifying the authenticity of the software prior to installation
validates the integrity of the patch or upgrade received from a vendor.
This ensures the software has not been tampered with and that it has been
provided by a trusted vendor. Self-signed certificates are disallowed by
this requirement. Certificates used to verify the software must be from an
approved Certificate Authority (CA). |
OVAL test results detailscheck value of gpgcheck in /etc/dnf/dnf.conf
oval:ssg-test_ensure_gpgcheck_globally_activated:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/dnf/dnf.conf | gpgcheck=1 |
Ensure gpgcheck Enabled for Local Packagesxccdf_org.ssgproject.content_rule_ensure_gpgcheck_local_packages high
Ensure gpgcheck Enabled for Local Packages
| Rule ID | xccdf_org.ssgproject.content_rule_ensure_gpgcheck_local_packages |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-ensure_gpgcheck_local_packages:def:1 |
| Time | 2021-11-16T20:08:35+00:00 |
| Severity | high |
| Identifiers and References | References:
BP28(R15), 11, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, CM-11(a), CM-11(b), CM-6(a), CM-5(3), SA-12, SA-12(10), PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650 |
| Description | dnf should be configured to verify the signature(s) of local packages
prior to installation. To configure dnf to verify signatures of local
packages, set the localpkg_gpgcheck to 1 in /etc/dnf/dnf.conf.
|
| Rationale | Changes to any software components can have significant effects to the overall security
of the operating system. This requirement ensures the software has not been tampered and
has been provided by a trusted vendor.
Accordingly, patches, service packs, device drivers, or operating system components must
be signed with a certificate recognized and approved by the organization. |
OVAL test results detailscheck value of localpkg_gpgcheck in /etc/dnf/dnf.conf
oval:ssg-test_yum_ensure_gpgcheck_local_packages:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/dnf/dnf.conf | localpkg_gpgcheck = 1
|
Ensure gpgcheck Enabled for All dnf Package Repositoriesxccdf_org.ssgproject.content_rule_ensure_gpgcheck_never_disabled high
Ensure gpgcheck Enabled for All dnf Package Repositories
| Rule ID | xccdf_org.ssgproject.content_rule_ensure_gpgcheck_never_disabled |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-ensure_gpgcheck_never_disabled:def:1 |
| Time | 2021-11-16T20:08:35+00:00 |
| Severity | high |
| Identifiers and References | References:
BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650 |
| Description | To ensure signature checking is not disabled for
any repos, remove any lines from files in /etc/yum.repos.d of the form:
gpgcheck=0 |
| Rationale | Verifying the authenticity of the software prior to installation validates
the integrity of the patch or upgrade received from a vendor. This ensures
the software has not been tampered with and that it has been provided by a
trusted vendor. Self-signed certificates are disallowed by this
requirement. Certificates used to verify the software must be from an
approved Certificate Authority (CA)." |
OVAL test results detailscheck for existence of gpgcheck=0 in /etc/yum.repos.d/ files
oval:ssg-test_ensure_gpgcheck_never_disabled:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_ensure_gpgcheck_never_disabled:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/yum.repos.d | .* | ^\s*gpgcheck\s*=\s*0\s*$ | 1 |
Enable dnf-automatic Timerxccdf_org.ssgproject.content_rule_timer_dnf-automatic_enabled medium
Enable dnf-automatic Timer
| Rule ID | xccdf_org.ssgproject.content_rule_timer_dnf-automatic_enabled |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-timer_dnf-automatic_enabled:def:1 |
| Time | 2021-11-16T20:08:35+00:00 |
| Severity | medium |
| Identifiers and References | References:
BP28(R8), SI-2(5), CM-6(a), SI-2(c), FMT_SMF_EXT.1, SRG-OS-000191-GPOS-00080 |
| Description |
The dnf-automatic timer can be enabled with the following command:
$ sudo systemctl enable dnf-automatic.timer |
| Rationale | The dnf-automatic is an alternative command line interface (CLI) to dnf upgrade with specific facilities to make it suitable to be executed automatically and regularly from systemd timers, cron jobs and similar.
The tool is controlled by dnf-automatic.timer SystemD timer. |
OVAL test results detailspackage dnf-automatic is installed
oval:ssg-test_package_dnf-automatic_installed:tst:1
true
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| dnf-automatic | noarch | (none) | 1.fc35 | 4.9.0 | 0:4.9.0-1.fc35 | db4639719867c58f | dnf-automatic-0:4.9.0-1.fc35.noarch |
Test that the dnf-automatic timer is running
oval:ssg-test_timer_running_dnf-automatic:tst:1
true
Following items have been found on the system:
| Unit | Property | Value |
|---|
| dnf-automatic.timer | ActiveState | active |
systemd test
oval:ssg-test_multi_user_wants_dnf-automatic:tst:1
true
Following items have been found on the system:
| Unit | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency |
|---|
| multi-user.target | basic.target | -.mount | sysinit.target | systemd-tmpfiles-setup-dev.service | sys-fs-fuse-connections.mount | proc-sys-fs-binfmt_misc.automount | selinux-autorelabel-mark.service | systemd-boot-system-token.service | cryptsetup.target | local-fs.target | boot-efi.mount | boot.mount | home.mount | tmp.mount | systemd-remount-fs.service | systemd-udev-trigger.service | systemd-sysctl.service | veritysetup.target | systemd-journald.service | kmod-static-nodes.service | ldconfig.service | systemd-sysusers.service | dracut-shutdown.service | systemd-update-done.service | systemd-journal-catalog-update.service | systemd-hwdb-update.service | swap.target | dev-zram0.swap | systemd-repart.service | systemd-binfmt.service | sys-kernel-config.mount | systemd-tmpfiles-setup.service | systemd-random-seed.service | import-state.service | systemd-udevd.service | systemd-journal-flush.service | sys-kernel-tracing.mount | systemd-machine-id-commit.service | systemd-modules-load.service | sys-kernel-debug.mount | systemd-update-utmp.service | systemd-firstboot.service | dev-hugepages.mount | dev-mqueue.mount | systemd-ask-password-console.path | slices.target | -.slice | system.slice | timers.target | dnf-makecache.timer | dnf-automatic.timer | systemd-tmpfiles-clean.timer | unbound-anchor.timer | fstrim.timer | paths.target | sockets.target | systemd-udevd-kernel.socket | systemd-coredump.socket | systemd-journald-dev-log.socket | systemd-journald.socket | sssd-kcm.socket | systemd-userdbd.socket | systemd-journald-audit.socket | dbus.socket | systemd-initctl.socket | systemd-udevd-control.socket | rpmdb-rebuild.service | systemd-logind.service | systemd-ask-password-wall.path | systemd-homed.service | chronyd.service | auditd.service | systemd-oomd.service | sssd.service | getty.target | getty@tty1.service | NetworkManager.service | remote-fs.target | systemd-update-utmp-runlevel.service | systemd-user-sessions.service | systemd-resolved.service | sshd.service |
Enable GNOME3 Login Warning Bannerxccdf_org.ssgproject.content_rule_dconf_gnome_banner_enabled medium
Enable GNOME3 Login Warning Banner
| Rule ID | xccdf_org.ssgproject.content_rule_dconf_gnome_banner_enabled |
| Result | |
| Multi-check rule | no |
| Time | 2021-11-16T20:08:35+00:00 |
| Severity | medium |
| Identifiers and References | References:
1, 12, 15, 16, DSS05.04, DSS05.10, DSS06.10, 3.1.9, CCI-000048, CCI-000050, CCI-001384, CCI-001385, CCI-001386, CCI-001387, CCI-001388, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, AC-8(a), AC-8(b), AC-8(c), PR.AC-7, FMT_MOF_EXT.1, SRG-OS-000023-GPOS-00006, SRG-OS-000024-GPOS-00007, SRG-OS-000228-GPOS-00088 |
| Description | In the default graphical environment, displaying a login warning banner
in the GNOME Display Manager's login screen can be enabled on the login
screen by setting banner-message-enable to true.
To enable, add or edit banner-message-enable to
/etc/dconf/db/distro.d/00-security-settings. For example:
[org/gnome/login-screen]
banner-message-enable=true
Once the setting has been added, add a lock to
/etc/dconf/db/distro.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/login-screen/banner-message-enable
After the settings have been set, run dconf update.
The banner text must also be set. |
| Rationale | Display of a standardized and approved use notification before granting access to the operating system
ensures privacy and security notification verbiage used is consistent with applicable federal laws,
Executive Orders, directives, policies, regulations, standards, and guidance.
For U.S. Government systems, system use notifications are required only for access via login interfaces
with human users and are not required when such human interfaces do not exist. |
Set the GNOME3 Login Warning Banner Textxccdf_org.ssgproject.content_rule_dconf_gnome_login_banner_text medium
Set the GNOME3 Login Warning Banner Text
| Rule ID | xccdf_org.ssgproject.content_rule_dconf_gnome_login_banner_text |
| Result | |
| Multi-check rule | no |
| Time | 2021-11-16T20:08:35+00:00 |
| Severity | medium |
| Identifiers and References | References:
1, 12, 15, 16, DSS05.04, DSS05.10, DSS06.10, 3.1.9, CCI-000048, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, AC-8(a), AC-8(c), PR.AC-7, FMT_MOF_EXT.1, SRG-OS-000023-GPOS-00006, SRG-OS-000024-GPOS-00007, SRG-OS-000228-GPOS-00088 |
| Description | In the default graphical environment, configuring the login warning banner text
in the GNOME Display Manager's login screen can be configured on the login
screen by setting banner-message-text to 'APPROVED_BANNER'
where APPROVED_BANNER is the approved banner for your environment.
To enable, add or edit banner-message-text to
/etc/dconf/db/distro.d/00-security-settings. For example:
[org/gnome/login-screen]
banner-message-text='APPROVED_BANNER'
Once the setting has been added, add a lock to
/etc/dconf/db/distro.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/login-screen/banner-message-text
After the settings have been set, run dconf update.
When entering a warning banner that spans several lines, remember
to begin and end the string with ' and use \n for new lines. |
| Rationale | An appropriate warning message reinforces policy awareness during the logon
process and facilitates possible legal action against attackers. |
Modify the System Login Bannerxccdf_org.ssgproject.content_rule_banner_etc_issue medium
Modify the System Login Banner
| Rule ID | xccdf_org.ssgproject.content_rule_banner_etc_issue |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-banner_etc_issue:def:1 |
| Time | 2021-11-16T20:08:35+00:00 |
| Severity | medium |
| Identifiers and References | References:
1, 12, 15, 16, DSS05.04, DSS05.10, DSS06.10, 3.1.9, CCI-000048, CCI-000050, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, AC-8(a), AC-8(c), PR.AC-7, FMT_MOF_EXT.1, SRG-OS-000023-GPOS-00006, SRG-OS-000024-GPOS-00007, SRG-OS-000023-VMM-000060, SRG-OS-000024-VMM-000070 |
| Description | To configure the system login banner edit /etc/issue. Replace the
default text with a message compliant with the local site policy or a legal
disclaimer.
The DoD required text is either:
You are accessing a U.S. Government (USG) Information System (IS) that
is provided for USG-authorized use only. By using this IS (which includes
any device attached to this IS), you consent to the following conditions:
-The USG routinely intercepts and monitors communications on this IS
for purposes including, but not limited to, penetration testing, COMSEC
monitoring, network operations and defense, personnel misconduct (PM), law
enforcement (LE), and counterintelligence (CI) investigations.
-At any time, the USG may inspect and seize data stored on this IS.
-Communications using, or data stored on, this IS are not private,
are subject to routine monitoring, interception, and search, and may be
disclosed or used for any USG-authorized purpose.
-This IS includes security measures (e.g., authentication and access
controls) to protect USG interests -- not for your personal benefit or
privacy.
-Notwithstanding the above, using this IS does not constitute consent
to PM, LE or CI investigative searching or monitoring of the content of
privileged communications, or work product, related to personal
representation or services by attorneys, psychotherapists, or clergy, and
their assistants. Such communications and work product are private and
confidential. See User Agreement for details.
OR:
I've read & consent to terms in IS user agreem't. |
| Rationale | Display of a standardized and approved use notification before granting
access to the operating system ensures privacy and security notification
verbiage used is consistent with applicable federal laws, Executive Orders,
directives, policies, regulations, standards, and guidance.
System use notifications are required only for access via login interfaces
with human users and are not required when such human interfaces do not
exist. |
OVAL test results detailscorrect banner in /etc/issue
oval:ssg-test_banner_etc_issue:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/issue.d/22_clhm_eth0.issue | eth0: \4{eth0} \6{eth0}
|
| /etc/issue | -- WARNING -- This system is for the use of authorized users only. Individuals
using this computer system without authority or in excess of their authority
are subject to having all their activities on this system monitored and
recorded by system personnel. Anyone using this system expressly consents to
such monitoring and is advised that if such monitoring reveals possible
evidence of criminal activity system personal may provide the evidence of such
monitoring to law enforcement officials. |
Set Deny For Failed Password Attemptsxccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny medium
Set Deny For Failed Password Attempts
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_passwords_pam_faillock_deny:def:1 |
| Time | 2021-11-16T20:08:35+00:00 |
| Severity | medium |
| Identifiers and References | References:
BP28(R18), 1, 12, 15, 16, 5.5.3, DSS05.04, DSS05.10, DSS06.10, 3.1.8, CCI-000044, CCI-002236, CCI-002237, CCI-002238, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, CM-6(a), AC-7(a), PR.AC-7, FIA_AFL.1, Req-8.1.6, SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005, SRG-OS-000021-VMM-000050 |
| Description | To configure the system to lock out accounts after a number of incorrect login
attempts using pam_faillock.so, modify the content of both
/etc/pam.d/system-auth and /etc/pam.d/password-auth as follows:
- add the following line immediately
before the pam_unix.so statement in the AUTH section:
auth required pam_faillock.so preauth silent deny=3 unlock_time=0 fail_interval=900 - add the following line immediately
after the pam_unix.so statement in the AUTH section:
auth [default=die] pam_faillock.so authfail deny=3 unlock_time=0 fail_interval=900 - add the following line immediately
before the pam_unix.so statement in the ACCOUNT section:
account required pam_faillock.so
|
| Rationale | Locking out user accounts after a number of incorrect attempts
prevents direct password guessing attacks. |
OVAL test results detailsCheck pam_faillock.so preauth silent present, with correct deny value, and is followed by pam_unix.
oval:ssg-test_accounts_passwords_pam_faillock_preauth_silent_system-auth:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/pam.d/system-auth |
auth required pam_faillock.so preauth silent deny=3 even_deny_root fail_interval=900 unlock_time=0
auth sufficient pam_unix.so try_first_pass
|
Check if pam_faillock.so is called in account phase before pam_unix
oval:ssg-test_accounts_passwords_pam_faillock_account_phase_system-auth:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/pam.d/system-auth |
account required pam_faillock.so
account required pam_unix.so
|
Check pam_faillock.so preauth silent present in /etc/pam.d/password-auth, has correct deny value, and is followed by pam_unix
oval:ssg-test_accounts_passwords_pam_faillock_preauth_silent_password-auth:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/pam.d/password-auth |
auth required pam_faillock.so preauth silent deny=3 even_deny_root fail_interval=900 unlock_time=0
auth sufficient pam_unix.so try_first_pass
|
Check if pam_faillock_so is called in account phase before pam_unix.
oval:ssg-test_accounts_passwords_pam_faillock_account_phase_password-auth:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/pam.d/password-auth |
account required pam_faillock.so
account required pam_unix.so
|
Checks if pam_faillock authfail is hit even if pam_unix skips lines by defaulting, and also authfail deny value
oval:ssg-test_accounts_passwords_pam_faillock_numeric_default_check_system-auth:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_when_lines_skipped_system-auth:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| 3Referenced variable has no values (oval:ssg-var_accounts_passwords_pam_faillock_preauth_default_lin | /etc/pam.d/system-auth | 1 |
Check control values of pam_unix, that it is followed by pam_faillock.so authfail and deny value of pam_faillock.so authfail
oval:ssg-test_accounts_passwords_pam_faillock_authfail_deny_system-auth:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/pam.d/system-auth |
auth sufficient pam_unix.so try_first_pass
auth [default=die] pam_faillock.so authfail deny=3 |
Checks if pam_faillock authfail is hit even if pam_unix skips lines by defaulting, and also authfail deny value
oval:ssg-test_accounts_passwords_pam_faillock_numeric_default_check_password-auth:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_when_lines_skipped_password-auth:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| 3Referenced variable has no values (oval:ssg-var_accounts_passwords_pam_faillock_preauth_default_lin | /etc/pam.d/password-auth | 1 |
Check pam_faillock authfail is present after pam_unix, check pam_unix has proper control values, and authfail deny value is correct.
oval:ssg-test_accounts_passwords_pam_faillock_authfail_deny_password-auth:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/pam.d/password-auth |
auth sufficient pam_unix.so try_first_pass
auth [default=die] pam_faillock.so authfail deny=3 |
Configure the root Account for Failed Password Attemptsxccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root medium
Configure the root Account for Failed Password Attempts
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_passwords_pam_faillock_deny_root:def:1 |
| Time | 2021-11-16T20:08:35+00:00 |
| Severity | medium |
| Identifiers and References | References:
BP28(R18), 1, 12, 15, 16, DSS05.04, DSS05.10, DSS06.10, CCI-002238, CCI-000044, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, CM-6(a), AC-7(b), IA-5(c), PR.AC-7, FMT_MOF_EXT.1, SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005 |
| Description | To configure the system to lock out the root account after a
number of incorrect login attempts using pam_faillock.so, modify
the content of both /etc/pam.d/system-auth and
/etc/pam.d/password-auth as follows:
|
| Rationale | By limiting the number of failed logon attempts, the risk of unauthorized system access via user password
guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account. |
OVAL test results detailsCheck pam_faillock.so preauth silent present in /etc/pam.d/system-auth
oval:ssg-test_pam_faillock_preauth_silent_system-auth:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/pam.d/system-auth |
auth required pam_faillock.so preauth silent deny=3 even_deny_root fail_interval=900 unlock_time=0
auth sufficient pam_unix.so try_first_pass
|
Check maximum failed login attempts allowed in /etc/pam.d/system-auth (authfail)
oval:ssg-test_pam_faillock_authfail_deny_root_system-auth:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/pam.d/system-auth |
auth sufficient pam_unix.so try_first_pass
auth [default=die] pam_faillock.so authfail deny=3 even_deny_root fail_interval=900 unlock_time=0
|
Check pam_faillock.so preauth silent present in /etc/pam.d/password-auth
oval:ssg-test_pam_faillock_preauth_silent_password-auth:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/pam.d/password-auth |
auth required pam_faillock.so preauth silent deny=3 even_deny_root fail_interval=900 unlock_time=0
auth sufficient pam_unix.so try_first_pass
|
Check maximum failed login attempts allowed in /etc/pam.d/password-auth (authfail)
oval:ssg-test_pam_faillock_authfail_deny_root_password-auth:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/pam.d/password-auth |
auth sufficient pam_unix.so try_first_pass
auth [default=die] pam_faillock.so authfail deny=3 even_deny_root fail_interval=900 unlock_time=0
|
Set Interval For Counting Failed Password Attemptsxccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval medium
Set Interval For Counting Failed Password Attempts
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_passwords_pam_faillock_interval:def:1 |
| Time | 2021-11-16T20:08:35+00:00 |
| Severity | medium |
| Identifiers and References | References:
BP28(R18), 1, 12, 15, 16, DSS05.04, DSS05.10, DSS06.10, CCI-000044, CCI-002236, CCI-002237, CCI-002238, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, CM-6(a), AC-7(a), PR.AC-7, FIA_AFL.1, SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005, SRG-OS-000021-VMM-000050 |
| Description | Utilizing pam_faillock.so, the fail_interval directive
configures the system to lock out an account after a number of incorrect
login attempts within a specified time period. Modify the content of both
/etc/pam.d/system-auth and /etc/pam.d/password-auth
as follows:
- Add the following line immediately
before the
pam_unix.so statement in the AUTH section:
auth required pam_faillock.so preauth silent deny=3 unlock_time=0 fail_interval=900
- Add the following line immediately
after the
pam_unix.so statement in the AUTH section:
auth [default=die] pam_faillock.so authfail deny=3 unlock_time=0 fail_interval=900
- Add the following line immediately
before the
pam_unix.so statement in the ACCOUNT section:
account required pam_faillock.so
|
| Rationale | By limiting the number of failed logon attempts the risk of unauthorized system
access via user password guessing, otherwise known as brute-forcing, is reduced.
Limits are imposed by locking the account. |
OVAL test results detailscheck maximum preauth fail_interval allowed in /etc/pam.d/system-auth
oval:ssg-test_accounts_passwords_pam_faillock_fail_interval_system-auth:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/pam.d/system-auth | auth required pam_faillock.so preauth silent deny=3 even_deny_root fail_interval=900 unlock_time=0 |
check maximum authfail fail_interval allowed in /etc/pam.d/system-auth
oval:ssg-test_accounts_passwords_pam_faillock_authfail_fail_interval_system-auth:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/pam.d/system-auth | auth [default=die] pam_faillock.so authfail deny=3 even_deny_root fail_interval=900 unlock_time=0 |
check maximum authfail fail_interval allowed in /etc/pam.d/password-auth
oval:ssg-test_accounts_passwords_pam_faillock_fail_interval_password-auth:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/pam.d/password-auth | auth [default=die] pam_faillock.so authfail deny=3 even_deny_root fail_interval=900 unlock_time=0 |
check maximum preauth fail_interval allowed in /etc/pam.d/password-auth
oval:ssg-test_accounts_passwords_pam_faillock_preauth_fail_interval_password-auth:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/pam.d/password-auth | auth required pam_faillock.so preauth silent deny=3 even_deny_root fail_interval=900 unlock_time=0 |
check if pam_faillock.so is required in account section in /etc/pam.d/password-auth
oval:ssg-test_accounts_passwords_pam_faillock_account_requires_password-auth:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/pam.d/password-auth | account required pam_faillock.so |
check if pam_faillock.so is required in account section in /etc/pam.d/system-auth
oval:ssg-test_accounts_passwords_pam_faillock_account_requires_system-auth:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/pam.d/system-auth | account required pam_faillock.so |
Set Lockout Time for Failed Password Attemptsxccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time medium
Set Lockout Time for Failed Password Attempts
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_passwords_pam_faillock_unlock_time:def:1 |
| Time | 2021-11-16T20:08:35+00:00 |
| Severity | medium |
| Identifiers and References | References:
BP28(R18), 1, 12, 15, 16, 5.5.3, DSS05.04, DSS05.10, DSS06.10, 3.1.8, CCI-000044, CCI-002236, CCI-002237, CCI-002238, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, CM-6(a), AC-7(b), PR.AC-7, FIA_AFL.1, Req-8.1.7, SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005, SRG-OS-000329-VMM-001180 |
| Description | To configure the system to lock out accounts after a number of incorrect login
attempts and require an administrator to unlock the account using pam_faillock.so,
modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows:
- add the following line immediately
before the pam_unix.so statement in the AUTH section:
auth required pam_faillock.so preauth silent deny=3 unlock_time=0 fail_interval=900 - add the following line immediately
after the pam_unix.so statement in the AUTH section:
auth [default=die] pam_faillock.so authfail deny=3 unlock_time=0 fail_interval=900 - add the following line immediately
before the pam_unix.so statement in the ACCOUNT section:
account required pam_faillock.so
If unlock_time is set to 0, manual intervention by an administrator is required to unlock a user. |
| Rationale | Locking out user accounts after a number of incorrect attempts
prevents direct password guessing attacks. Ensuring that an administrator is
involved in unlocking locked accounts draws appropriate attention to such
situations. |
OVAL test results detailsCheck if external variable unlock time is never
oval:ssg-test_var_faillock_unlock_time_is_never:tst:1
true
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-var_accounts_passwords_pam_faillock_unlock_time:var:1 | 0 |
Check if unlock time is never
oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_is_never:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/pam.d/system-auth | auth [default=die] pam_faillock.so authfail deny=3 even_deny_root fail_interval=900 unlock_time=0 |
| /etc/pam.d/system-auth | auth required pam_faillock.so preauth silent deny=3 even_deny_root fail_interval=900 unlock_time=0 |
| /etc/pam.d/password-auth | auth required pam_faillock.so preauth silent deny=3 even_deny_root fail_interval=900 unlock_time=0 |
| /etc/pam.d/password-auth | auth [default=die] pam_faillock.so authfail deny=3 even_deny_root fail_interval=900 unlock_time=0 |
Check if external variable unlock time is never
oval:ssg-test_var_faillock_unlock_time_is_never:tst:1
true
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-var_accounts_passwords_pam_faillock_unlock_time:var:1 | 0 |
Check if unlock time is never, or greater than or equal external variable
oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_greater_or_equal_ext_var:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/pam.d/system-auth | auth [default=die] pam_faillock.so authfail deny=3 even_deny_root fail_interval=900 unlock_time=0 |
| /etc/pam.d/system-auth | auth required pam_faillock.so preauth silent deny=3 even_deny_root fail_interval=900 unlock_time=0 |
| /etc/pam.d/password-auth | auth required pam_faillock.so preauth silent deny=3 even_deny_root fail_interval=900 unlock_time=0 |
| /etc/pam.d/password-auth | auth [default=die] pam_faillock.so authfail deny=3 even_deny_root fail_interval=900 unlock_time=0 |
Ensure PAM Enforces Password Requirements - Minimum Digit Charactersxccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit medium
Ensure PAM Enforces Password Requirements - Minimum Digit Characters
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_password_pam_dcredit:def:1 |
| Time | 2021-11-16T20:08:35+00:00 |
| Severity | medium |
| Identifiers and References | References:
BP28(R18), 1, 12, 15, 16, 5, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, CCI-000194, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(c), IA-5(1)(a), CM-6(a), IA-5(4), PR.AC-1, PR.AC-6, PR.AC-7, FMT_MOF_EXT.1, Req-8.2.3, SRG-OS-000071-GPOS-00039, SRG-OS-000071-VMM-000380 |
| Description | The pam_pwquality module's dcredit parameter controls requirements for
usage of digits in a password. When set to a negative number, any password will be required to
contain that many digits. When set to a positive number, pam_pwquality will grant +1 additional
length credit for each digit. Modify the dcredit setting in
/etc/security/pwquality.conf to require the use of a digit in passwords. |
| Rationale | Use of a complex password helps to increase the time and resources required
to compromise the password. Password complexity, or strength, is a measure of
the effectiveness of a password in resisting attempts at guessing and brute-force
attacks.
Password complexity is one factor of several that determines how long it takes
to crack a password. The more complex the password, the greater the number of
possible combinations that need to be tested before the password is compromised.
Requiring digits makes password guessing attacks more difficult by ensuring a larger
search space. |
OVAL test results detailscheck the configuration of /etc/pam.d/system-auth
oval:ssg-test_password_pam_pwquality:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/pam.d/system-auth |
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= |
check the configuration of /etc/security/pwquality.conf
oval:ssg-test_password_pam_pwquality_dcredit:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/security/pwquality.conf | dcredit = -1
|
Ensure PAM Enforces Password Requirements - Minimum Lowercase Charactersxccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit medium
Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_password_pam_lcredit:def:1 |
| Time | 2021-11-16T20:08:35+00:00 |
| Severity | medium |
| Identifiers and References | References:
BP28(R18), 1, 12, 15, 16, 5, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, CCI-000193, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(c), IA-5(1)(a), CM-6(a), IA-5(4), PR.AC-1, PR.AC-6, PR.AC-7, FMT_MOF_EXT.1, Req-8.2.3, SRG-OS-000070-GPOS-00038, SRG-OS-000070-VMM-000370 |
| Description | The pam_pwquality module's lcredit parameter controls requirements for
usage of lowercase letters in a password. When set to a negative number, any password will be required to
contain that many lowercase characters. When set to a positive number, pam_pwquality will grant +1 additional
length credit for each lowercase character. Modify the lcredit setting in
/etc/security/pwquality.conf to require the use of a lowercase character in passwords. |
| Rationale | Use of a complex password helps to increase the time and resources required
to compromise the password. Password complexity, or strength, is a measure of
the effectiveness of a password in resisting attempts at guessing and brute-force
attacks.
Password complexity is one factor of several that determines how long it takes
to crack a password. The more complex the password, the greater the number of
possble combinations that need to be tested before the password is compromised.
Requiring a minimum number of lowercase characters makes password guessing attacks
more difficult by ensuring a larger search space. |
OVAL test results detailscheck the configuration of /etc/pam.d/system-auth
oval:ssg-test_password_pam_pwquality:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/pam.d/system-auth |
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= |
check the configuration of /etc/security/pwquality.conf
oval:ssg-test_password_pam_pwquality_lcredit:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/security/pwquality.conf | lcredit = -1
|
Ensure PAM Enforces Password Requirements - Minimum Lengthxccdf_org.ssgproject.content_rule_accounts_password_pam_minlen medium
Ensure PAM Enforces Password Requirements - Minimum Length
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_password_pam_minlen:def:1 |
| Time | 2021-11-16T20:08:35+00:00 |
| Severity | medium |
| Identifiers and References | References:
BP28(R18), 1, 12, 15, 16, 5, 5.6.2.1.1, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, CCI-000205, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(c), IA-5(1)(a), CM-6(a), IA-5(4), PR.AC-1, PR.AC-6, PR.AC-7, FMT_MOF_EXT.1, Req-8.2.3, SRG-OS-000078-GPOS-00046, SRG-OS-000072-VMM-000390, SRG-OS-000078-VMM-000450 |
| Description | The pam_pwquality module's minlen parameter controls requirements for
minimum characters required in a password. Add minlen=12
after pam_pwquality to set minimum password length requirements. |
| Rationale | The shorter the password, the lower the number of possible combinations
that need to be tested before the password is compromised.
Password complexity, or strength, is a measure of the effectiveness of a
password in resisting attempts at guessing and brute-force attacks.
Password length is one factor of several that helps to determine strength
and how long it takes to crack a password. Use of more characters in a password
helps to exponentially increase the time and/or resources required to
compromose the password. |
OVAL test results detailscheck the configuration of /etc/pam.d/system-auth
oval:ssg-test_password_pam_pwquality:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/pam.d/system-auth |
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= |
check the configuration of /etc/security/pwquality.conf
oval:ssg-test_password_pam_pwquality_minlen:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/security/pwquality.conf | minlen = 12
|
Ensure PAM Enforces Password Requirements - Minimum Special Charactersxccdf_org.ssgproject.content_rule_accounts_password_pam_ocredit medium
Ensure PAM Enforces Password Requirements - Minimum Special Characters
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_pam_ocredit |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_password_pam_ocredit:def:1 |
| Time | 2021-11-16T20:08:35+00:00 |
| Severity | medium |
| Identifiers and References | References:
BP28(R18), 1, 12, 15, 16, 5, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, CCI-001619, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(c), IA-5(1)(a), CM-6(a), IA-5(4), PR.AC-1, PR.AC-6, PR.AC-7, FMT_MOF_EXT.1, SRG-OS-000266-GPOS-00101, SRG-OS-000266-VMM-000940 |
| Description | The pam_pwquality module's ocredit= parameter controls requirements for
usage of special (or "other") characters in a password. When set to a negative number,
any password will be required to contain that many special characters.
When set to a positive number, pam_pwquality will grant +1
additional length credit for each special character. Modify the ocredit setting
in /etc/security/pwquality.conf to equal -1
to require use of a special character in passwords. |
| Rationale | Use of a complex password helps to increase the time and resources required
to compromise the password. Password complexity, or strength, is a measure of
the effectiveness of a password in resisting attempts at guessing and brute-force
attacks.
Password complexity is one factor of several that determines how long it takes
to crack a password. The more complex the password, the greater the number of
possble combinations that need to be tested before the password is compromised.
Requiring a minimum number of special characters makes password guessing attacks
more difficult by ensuring a larger search space. |
OVAL test results detailscheck the configuration of /etc/pam.d/system-auth
oval:ssg-test_password_pam_pwquality:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/pam.d/system-auth |
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= |
check the configuration of /etc/security/pwquality.conf
oval:ssg-test_password_pam_pwquality_ocredit:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/security/pwquality.conf | ocredit = -1
|
Ensure PAM Enforces Password Requirements - Authentication Retry Prompts Permitted Per-Sessionxccdf_org.ssgproject.content_rule_accounts_password_pam_retry medium
Ensure PAM Enforces Password Requirements - Authentication Retry Prompts Permitted Per-Session
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_pam_retry |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_password_pam_retry:def:1 |
| Time | 2021-11-16T20:08:35+00:00 |
| Severity | medium |
| Identifiers and References | References:
1, 11, 12, 15, 16, 3, 5, 9, 5.5.3, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, CCI-000192, CCI-000366, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, CM-6(a), AC-7(a), IA-5(4), PR.AC-1, PR.AC-6, PR.AC-7, PR.IP-1, FMT_MOF_EXT.1, SRG-OS-000480-GPOS-00225, SRG-OS-000069-GPOS-00037 |
| Description | To configure the number of retry prompts that are permitted per-session:
Edit the pam_pwquality.so statement in
/etc/pam.d/system-auth to show
retry=3, or a lower value if site
policy is more restrictive. The DoD requirement is a maximum of 3 prompts
per session. |
| Rationale | Setting the password retry prompts that are permitted on a per-session basis to a low value
requires some software, such as SSH, to re-connect. This can slow down and
draw additional attention to some types of password-guessing attacks. Note that this
is different from account lockout, which is provided by the pam_faillock module. |
OVAL test results detailscheck the configuration of /etc/pam.d/system-auth
oval:ssg-test_password_pam_pwquality_retry_system_auth:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/pam.d/system-auth |
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= |
Ensure PAM Enforces Password Requirements - Minimum Uppercase Charactersxccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit medium
Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_password_pam_ucredit:def:1 |
| Time | 2021-11-16T20:08:35+00:00 |
| Severity | medium |
| Identifiers and References | References:
BP28(R18), 1, 12, 15, 16, 5, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, CCI-000192, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(c), IA-5(1)(a), CM-6(a), IA-5(4), PR.AC-1, PR.AC-6, PR.AC-7, FMT_MOF_EXT.1, Req-8.2.3, SRG-OS-000069-GPOS-00037, SRG-OS-000069-VMM-000360 |
| Description | The pam_pwquality module's ucredit= parameter controls requirements for
usage of uppercase letters in a password. When set to a negative number, any password will be required to
contain that many uppercase characters. When set to a positive number, pam_pwquality will grant +1 additional
length credit for each uppercase character. Modify the ucredit setting in
/etc/security/pwquality.conf to require the use of an uppercase character in passwords. |
| Rationale | Use of a complex password helps to increase the time and resources reuiqred to compromise the password.
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts
at guessing and brute-force attacks.
Password complexity is one factor of several that determines how long it takes to crack a password. The more
complex the password, the greater the number of possible combinations that need to be tested before
the password is compromised. |
OVAL test results detailscheck the configuration of /etc/pam.d/system-auth
oval:ssg-test_password_pam_pwquality:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/pam.d/system-auth |
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= |
check the configuration of /etc/security/pwquality.conf
oval:ssg-test_password_pam_pwquality_ucredit:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/security/pwquality.conf | ucredit = -1
|
Install the screen Packagexccdf_org.ssgproject.content_rule_package_screen_installed medium
Install the screen Package
| Rule ID | xccdf_org.ssgproject.content_rule_package_screen_installed |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-package_screen_installed:def:1 |
| Time | 2021-11-16T20:08:35+00:00 |
| Severity | medium |
| Identifiers and References | References:
1, 12, 15, 16, DSS05.04, DSS05.10, DSS06.10, 3.1.10, CCI-000057, CCI-000058, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, CM-6(a), PR.AC-7, FMT_MOF_EXT.1, SRG-OS-000029-GPOS-00010, SRG-OS-000030-VMM-000110 |
| Description | To enable console screen locking, install the screen package.
The screen package can be installed with the following command:
$ sudo dnf install screen
Instruct users to begin new terminal sessions with the following command:
$ screen
The console can now be locked with the following key combination:
ctrl+a x |
| Rationale | A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate
physical vicinity of the information system but does not logout because of the temporary nature of the absence.
Rather than relying on the user to manually lock their operation system session prior to vacating the vicinity,
operating systems need to be able to identify when a user's session has idled and take action to initiate the
session lock.
The screen package allows for a session lock to be implemented and configured. |
OVAL test results detailspackage screen is installed
oval:ssg-test_package_screen_installed:tst:1
true
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| screen | x86_64 | (none) | 6.fc35 | 4.8.0 | 0:4.8.0-6.fc35 | db4639719867c58f | screen-0:4.8.0-6.fc35.x86_64 |
Disable debug-shell SystemD Servicexccdf_org.ssgproject.content_rule_service_debug-shell_disabled medium
Disable debug-shell SystemD Service
| Rule ID | xccdf_org.ssgproject.content_rule_service_debug-shell_disabled |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-service_debug-shell_disabled:def:1 |
| Time | 2021-11-16T20:08:35+00:00 |
| Severity | medium |
| Identifiers and References | References:
3.4.5, CCI-000366, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), FIA_UAU.1, SRG-OS-000324-GPOS-00125, SRG-OS-000480-GPOS-00227 |
| Description | SystemD's debug-shell service is intended to
diagnose SystemD related boot issues with various systemctl
commands. Once enabled and following a system reboot, the root shell
will be available on tty9 which is access by pressing
CTRL-ALT-F9. The debug-shell service should only be used
for SystemD related issues and should otherwise be disabled.
By default, the debug-shell SystemD service is already disabled.
The debug-shell service can be disabled with the following command:
$ sudo systemctl mask --now debug-shell.service |
| Rationale | This prevents attackers with physical access from trivially bypassing security
on the machine through valid troubleshooting configurations and gaining root
access when the system is rebooted. |
OVAL test results detailspackage systemd is removed
oval:ssg-test_service_debug-shell_package_systemd_removed:tst:1
false
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| systemd | x86_64 | (none) | 2.fc35 | 249.4 | 0:249.4-2.fc35 | db4639719867c58f | systemd-0:249.4-2.fc35.x86_64 |
Test that the debug-shell service is not running
oval:ssg-test_service_not_running_debug-shell:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_service_not_running_debug-shell:obj:1 of type
systemdunitproperty_object
| Unit | Property |
|---|
| ^debug-shell\.(service|socket)$ | ActiveState |
Test that the property LoadState from the service debug-shell is masked
oval:ssg-test_service_loadstate_is_masked_debug-shell:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_service_loadstate_is_masked_debug-shell:obj:1 of type
systemdunitproperty_object
| Unit | Property |
|---|
| ^debug-shell\.(service|socket)$ | LoadState |
Verify that Interactive Boot is Disabledxccdf_org.ssgproject.content_rule_grub2_disable_interactive_boot medium
Verify that Interactive Boot is Disabled
| Rule ID | xccdf_org.ssgproject.content_rule_grub2_disable_interactive_boot |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-grub2_disable_interactive_boot:def:1 |
| Time | 2021-11-16T20:08:35+00:00 |
| Severity | medium |
| Identifiers and References | References:
11, 12, 14, 15, 16, 18, 3, 5, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.03, DSS06.06, 3.1.2, 3.4.5, CCI-000213, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, SC-2(1), CM-6(a), PR.AC-4, PR.AC-6, PR.PT-3, FIA_UAU.1, SRG-OS-000480-GPOS-00227 |
| Description | Fedora systems support an "interactive boot" option that can
be used to prevent services from being started. On a Fedora
system, interactive boot can be enabled by providing a 1,
yes, true, or on value to the
systemd.confirm_spawn kernel argument in /etc/default/grub.
Remove any instance of systemd.confirm_spawn=(1|yes|true|on) from
the kernel arguments in that file to disable interactive boot. It is also
required to change the runtime configuration, run:
/sbin/grubby --update-kernel=ALL --remove-args="systemd.confirm_spawn" |
| Rationale | Using interactive boot, the console user could disable auditing, firewalls,
or other services, weakening system security. |
OVAL test results detailsCheck systemd.confirm_spawn=(1|true|yes|on) not in GRUB_CMDLINE_LINUX
oval:ssg-test_grub2_disable_interactive_boot_grub_cmdline_linux:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_grub2_disable_interactive_boot_grub_cmdline_linux:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/default/grub | ^\s*GRUB_CMDLINE_LINUX=".*systemd.confirm_spawn=(?:1|yes|true|on).*$ | 1 |
Check systemd.confirm_spawn=(1|true|yes|on) not in GRUB_CMDLINE_LINUX_DEFAULT
oval:ssg-test_grub2_disable_interactive_boot_grub_cmdline_linux_default:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_grub2_disable_interactive_boot_grub_cmdline_linux_default:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/default/grub | ^\s*GRUB_CMDLINE_LINUX_DEFAULT=".*systemd.confirm_spawn=(?:1|yes|true|on).*$ | 1 |
Check for GRUB_DISABLE_RECOVERY=true in /etc/default/grub
oval:ssg-test_bootloader_disable_recovery_set_to_true:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/default/grub | GRUB_DISABLE_RECOVERY="true" |
Require Authentication for Single User Modexccdf_org.ssgproject.content_rule_require_singleuser_auth medium
Require Authentication for Single User Mode
| Rule ID | xccdf_org.ssgproject.content_rule_require_singleuser_auth |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-require_singleuser_auth:def:1 |
| Time | 2021-11-16T20:08:35+00:00 |
| Severity | medium |
| Identifiers and References | References:
1, 11, 12, 14, 15, 16, 18, 3, 5, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.06, DSS06.10, 3.1.1, 3.4.5, CCI-000213, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CIP-003-3 R5.1.1, CIP-003-3 R5.3, CIP-004-3 R2.2.3, CIP-004-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, IA-2, AC-3, CM-6(a), PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.PT-3, FIA_UAU.1, SRG-OS-000080-GPOS-00048 |
| Description | Single-user mode is intended as a system recovery
method, providing a single user root access to the system by
providing a boot option at startup. By default, no authentication
is performed if single-user mode is selected.
By default, single-user mode is protected by requiring a password and is set
in /usr/lib/systemd/system/rescue.service. |
| Rationale | This prevents attackers with physical access from trivially bypassing security
on the machine and gaining root access. Such accesses are further prevented
by configuring the bootloader password. |
OVAL test results detailsTests that /usr/lib/systemd/systemd-sulogin-shell was not removed from the default systemd rescue.service to ensure that a password must be entered to access single user mode
oval:ssg-test_require_rescue_service:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/rescue.service | ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue |
Tests that the systemd rescue.service is in the runlevel1.target
oval:ssg-test_require_rescue_service_runlevel1:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/runlevel1.target | Requires=sysinit.target rescue.service |
look for runlevel1.target in /etc/systemd/system
oval:ssg-test_no_custom_runlevel1_target:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_no_custom_runlevel1_target:obj:1 of type
file_object
| Behaviors | Path | Filename |
|---|
| no value | /etc/systemd/system | ^runlevel1.target$ |
look for rescue.service in /etc/systemd/system
oval:ssg-test_no_custom_rescue_service:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_no_custom_rescue_service:obj:1 of type
file_object
| Behaviors | Path | Filename |
|---|
| no value | /etc/systemd/system | ^rescue.service$ |
Set Password Minimum Length in login.defsxccdf_org.ssgproject.content_rule_accounts_password_minlen_login_defs medium
Set Password Minimum Length in login.defs
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_minlen_login_defs |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_password_minlen_login_defs:def:1 |
| Time | 2021-11-16T20:08:35+00:00 |
| Severity | medium |
| Identifiers and References | References:
BP28(R18), 1, 12, 15, 16, 5, 5.6.2.1, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.5.7, CCI-000205, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(f), IA-5(1)(a), CM-6(a), PR.AC-1, PR.AC-6, PR.AC-7, FMT_MOF_EXT.1, SRG-OS-000078-GPOS-00046 |
| Description | To specify password length requirements for new accounts, edit the file
/etc/login.defs and add or correct the following line:
PASS_MIN_LEN 15
The DoD requirement is 15.
The FISMA requirement is 12.
The profile requirement is
15.
If a program consults /etc/login.defs and also another PAM module
(such as pam_pwquality) during a password change operation, then
the most restrictive must be satisfied. See PAM section for more
information about enforcing password quality requirements. |
| Rationale | Requiring a minimum password length makes password
cracking attacks more difficult by ensuring a larger
search space. However, any security benefit from an onerous requirement
must be carefully weighed against usability problems, support costs, or counterproductive
behavior that may result. |
|
|
OVAL test results detailsThe value of PASS_MIN_LEN should be set appropriately in /etc/login.defs
oval:ssg-test_pass_min_len:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_last_pass_min_len_instance_value:obj:1 of type
variable_object
| Var ref |
|---|
| oval:ssg-variable_last_pass_min_len_instance_value:var:1 |
Prevent Login to Accounts With Empty Passwordxccdf_org.ssgproject.content_rule_no_empty_passwords high
Prevent Login to Accounts With Empty Password
| Rule ID | xccdf_org.ssgproject.content_rule_no_empty_passwords |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-no_empty_passwords:def:1 |
| Time | 2021-11-16T20:08:35+00:00 |
| Severity | high |
| Identifiers and References | References:
1, 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2, APO01.06, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.02, DSS06.03, DSS06.10, 3.1.1, 3.1.5, CCI-000366, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.18.1.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, IA-5(1)(a), IA-5(c), CM-6(a), PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.DS-5, FIA_UAU.1, Req-8.2.3, SRG-OS-000480-GPOS-00227 |
| Description | If an account is configured for password authentication
but does not have an assigned password, it may be possible to log
into the account without authentication. Remove any instances of the
nullok in
/etc/pam.d/system-auth
to prevent logins with empty passwords.
Note that this rule is not applicable for systems running within a
container. Having user with empty password within a container is not
considered a risk, because it should not be possible to directly login into
a container anyway. |
| Rationale | If an account has an empty password, anyone could log in and
run commands with the privileges of that account. Accounts with
empty passwords should never be used in operational environments. |
OVAL test results detailsmake sure nullok is not used in /etc/pam.d/system-auth
oval:ssg-test_no_empty_passwords:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_no_empty_passwords:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/pam.d/system-auth | ^[^#]*\bnullok\b.*$ | 1 |
Set Interactive Session Timeoutxccdf_org.ssgproject.content_rule_accounts_tmout medium
Set Interactive Session Timeout
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_tmout |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_tmout:def:1 |
| Time | 2021-11-16T20:08:35+00:00 |
| Severity | medium |
| Identifiers and References | References:
BP28(R29), 1, 12, 15, 16, DSS05.04, DSS05.10, DSS06.10, 3.1.11, CCI-000057, CCI-001133, CCI-002361, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, CIP-004-3 R2.2.3, CIP-007-3 R5.1, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, AC-12, SC-10, AC-2(5), CM-6(a), PR.AC-7, FMT_MOF_EXT.1, SRG-OS-000163-GPOS-00072, SRG-OS-000029-GPOS-00010, SRG-OS-000163-VMM-000700, SRG-OS-000279-VMM-001010 |
| Description | Setting the TMOUT option in /etc/profile ensures that
all user sessions will terminate based on inactivity. The TMOUT
setting in a file loaded by /etc/profile, e.g.
/etc/profile.d/tmout.sh should read as follows:
TMOUT=600 |
| Rationale | Terminating an idle session within a short time period reduces
the window of opportunity for unauthorized personnel to take control of a
management session enabled on the console or console port that has been
left unattended. |
OVAL test results detailsTMOUT in /etc/profile
oval:ssg-test_etc_profile_tmout:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_etc_profile_tmout:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/profile | ^[\s]*TMOUT=([\w$]+).*$ | 1 |
TMOUT in /etc/profile.d/*.sh
oval:ssg-test_etc_profiled_tmout:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/profile.d/tmout.sh | TMOUT=600 |
Record Events that Modify the System's Discretionary Access Controls - chmodxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chmod medium
Record Events that Modify the System's Discretionary Access Controls - chmod
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chmod |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_dac_modification_chmod:def:1 |
| Time | 2021-11-16T20:08:35+00:00 |
| Severity | medium |
| Identifiers and References | References:
1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000130, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210, SRG-OS-000458-GPOS-00203, SRG-OS-000458-VMM-001810, SRG-OS-000474-VMM-001940 |
| Description | At a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured to
use the augenrules program to read audit rules during daemon startup
(the default), add the following line to a file with suffix .rules in
the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod |
| Rationale | The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit chmod
oval:ssg-test_32bit_ardm_chmod_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_chmod_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
audit augenrules 64-bit chmod
oval:ssg-test_64bit_ardm_chmod_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_chmod_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit chmod
oval:ssg-test_32bit_ardm_chmod_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_chmod_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
audit auditctl 64-bit chmod
oval:ssg-test_64bit_ardm_chmod_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_chmod_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Record Events that Modify the System's Discretionary Access Controls - chownxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown medium
Record Events that Modify the System's Discretionary Access Controls - chown
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_dac_modification_chown:def:1 |
| Time | 2021-11-16T20:08:35+00:00 |
| Severity | medium |
| Identifiers and References | References:
1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000130, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219, SRG-OS-000458-VMM-001810, SRG-OS-000474-VMM-001940 |
| Description | At a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured to
use the augenrules program to read audit rules during daemon startup
(the default), add the following line to a file with suffix .rules in
the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod |
| Rationale | The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit chown
oval:ssg-test_32bit_ardm_chown_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_chown_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
audit augenrules 64-bit chown
oval:ssg-test_64bit_ardm_chown_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_chown_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit chown
oval:ssg-test_32bit_ardm_chown_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_chown_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
audit auditctl 64-bit chown
oval:ssg-test_64bit_ardm_chown_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_chown_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Record Events that Modify the System's Discretionary Access Controls - fchmodxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmod medium
Record Events that Modify the System's Discretionary Access Controls - fchmod
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmod |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_dac_modification_fchmod:def:1 |
| Time | 2021-11-16T20:08:35+00:00 |
| Severity | medium |
| Identifiers and References | References:
1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000130, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210, SRG-OS-000458-GPOS-00203, SRG-OS-000458-VMM-001810, SRG-OS-000474-VMM-001940 |
| Description | At a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured to
use the augenrules program to read audit rules during daemon startup
(the default), add the following line to a file with suffix .rules in
the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod |
| Rationale | The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit fchmod
oval:ssg-test_32bit_ardm_fchmod_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_fchmod_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
audit augenrules 64-bit fchmod
oval:ssg-test_64bit_ardm_fchmod_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_fchmod_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit fchmod
oval:ssg-test_32bit_ardm_fchmod_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_fchmod_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
audit auditctl 64-bit fchmod
oval:ssg-test_64bit_ardm_fchmod_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_fchmod_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Record Events that Modify the System's Discretionary Access Controls - fchmodatxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmodat medium
Record Events that Modify the System's Discretionary Access Controls - fchmodat
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmodat |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_dac_modification_fchmodat:def:1 |
| Time | 2021-11-16T20:08:35+00:00 |
| Severity | medium |
| Identifiers and References | References:
1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000130, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210, SRG-OS-000458-GPOS-00203, SRG-OS-000458-VMM-001810, SRG-OS-000474-VMM-001940 |
| Description | At a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured to
use the augenrules program to read audit rules during daemon startup
(the default), add the following line to a file with suffix .rules in
the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod |
| Rationale | The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit fchmodat
oval:ssg-test_32bit_ardm_fchmodat_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_fchmodat_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
audit augenrules 64-bit fchmodat
oval:ssg-test_64bit_ardm_fchmodat_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_fchmodat_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit fchmodat
oval:ssg-test_32bit_ardm_fchmodat_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_fchmodat_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
audit auditctl 64-bit fchmodat
oval:ssg-test_64bit_ardm_fchmodat_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_fchmodat_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Record Events that Modify the System's Discretionary Access Controls - fchownxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchown medium
Record Events that Modify the System's Discretionary Access Controls - fchown
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchown |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_dac_modification_fchown:def:1 |
| Time | 2021-11-16T20:08:35+00:00 |
| Severity | medium |
| Identifiers and References | References:
1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000130, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219, SRG-OS-000458-VMM-001810, SRG-OS-000474-VMM-001940 |
| Description | At a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following line to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod |
| Rationale | The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit fchown
oval:ssg-test_32bit_ardm_fchown_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_fchown_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
audit augenrules 64-bit fchown
oval:ssg-test_64bit_ardm_fchown_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_fchown_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit fchown
oval:ssg-test_32bit_ardm_fchown_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_fchown_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
audit auditctl 64-bit fchown
oval:ssg-test_64bit_ardm_fchown_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_fchown_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Record Events that Modify the System's Discretionary Access Controls - fchownatxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchownat medium
Record Events that Modify the System's Discretionary Access Controls - fchownat
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchownat |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_dac_modification_fchownat:def:1 |
| Time | 2021-11-16T20:08:35+00:00 |
| Severity | medium |
| Identifiers and References | References:
1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000130, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219, SRG-OS-000458-VMM-001810, SRG-OS-000474-VMM-001940 |
| Description | At a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following line to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod |
| Rationale | The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit fchownat
oval:ssg-test_32bit_ardm_fchownat_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_fchownat_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
audit augenrules 64-bit fchownat
oval:ssg-test_64bit_ardm_fchownat_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_fchownat_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit fchownat
oval:ssg-test_32bit_ardm_fchownat_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_fchownat_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
audit auditctl 64-bit fchownat
oval:ssg-test_64bit_ardm_fchownat_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_fchownat_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Record Events that Modify the System's Discretionary Access Controls - fremovexattrxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fremovexattr medium
Record Events that Modify the System's Discretionary Access Controls - fremovexattr
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fremovexattr |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_dac_modification_fremovexattr:def:1 |
| Time | 2021-11-16T20:08:35+00:00 |
| Severity | medium |
| Identifiers and References | References:
1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000471-GPOS-00215, SRG-OS-000474-GPOS-00219, SRG-OS-000466-GPOS-00210, SRG-OS-000064-GPOS-00033, SRG-OS-000458-VMM-001810, SRG-OS-000474-VMM-001940 |
| Description | At a minimum, the audit system should collect file permission
changes for all users and root.
If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following line to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod |
| Rationale | The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit fremovexattr
oval:ssg-test_32bit_ardm_fremovexattr_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_fremovexattr_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
audit augenrules 64-bit fremovexattr
oval:ssg-test_64bit_ardm_fremovexattr_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_fremovexattr_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit fremovexattr
oval:ssg-test_32bit_ardm_fremovexattr_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_fremovexattr_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
audit auditctl 64-bit fremovexattr
oval:ssg-test_64bit_ardm_fremovexattr_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_fremovexattr_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Record Events that Modify the System's Discretionary Access Controls - fsetxattrxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fsetxattr medium
Record Events that Modify the System's Discretionary Access Controls - fsetxattr
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fsetxattr |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_dac_modification_fsetxattr:def:1 |
| Time | 2021-11-16T20:08:36+00:00 |
| Severity | medium |
| Identifiers and References | References:
1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000130, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215, SRG-OS-000474-GPOS-00219, SRG-OS-000064-GPOS-00033, SRG-OS-000458-VMM-001810, SRG-OS-000474-VMM-001940 |
| Description | At a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following line to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod |
| Rationale | The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit fsetxattr
oval:ssg-test_32bit_ardm_fsetxattr_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_fsetxattr_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
audit augenrules 64-bit fsetxattr
oval:ssg-test_64bit_ardm_fsetxattr_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_fsetxattr_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit fsetxattr
oval:ssg-test_32bit_ardm_fsetxattr_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_fsetxattr_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
audit auditctl 64-bit fsetxattr
oval:ssg-test_64bit_ardm_fsetxattr_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_fsetxattr_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Record Events that Modify the System's Discretionary Access Controls - lchownxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lchown medium
Record Events that Modify the System's Discretionary Access Controls - lchown
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lchown |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_dac_modification_lchown:def:1 |
| Time | 2021-11-16T20:08:36+00:00 |
| Severity | medium |
| Identifiers and References | References:
1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000130, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219, SRG-OS-000458-VMM-001810, SRG-OS-000474-VMM-001940 |
| Description | At a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following line to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod |
| Rationale | The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit lchown
oval:ssg-test_32bit_ardm_lchown_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_lchown_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
audit augenrules 64-bit lchown
oval:ssg-test_64bit_ardm_lchown_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_lchown_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit lchown
oval:ssg-test_32bit_ardm_lchown_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_lchown_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
audit auditctl 64-bit lchown
oval:ssg-test_64bit_ardm_lchown_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_lchown_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Record Events that Modify the System's Discretionary Access Controls - lremovexattrxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lremovexattr medium
Record Events that Modify the System's Discretionary Access Controls - lremovexattr
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lremovexattr |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_dac_modification_lremovexattr:def:1 |
| Time | 2021-11-16T20:08:36+00:00 |
| Severity | medium |
| Identifiers and References | References:
1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215, SRG-OS-000474-GPOS-00219, SRG-OS-000466-GPOS-00210, SRG-OS-000064-GPOS-00033, SRG-OS-000458-VMM-001810, SRG-OS-000474-VMM-001940 |
| Description | At a minimum, the audit system should collect file permission
changes for all users and root.
If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following line to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod |
| Rationale | The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit lremovexattr
oval:ssg-test_32bit_ardm_lremovexattr_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_lremovexattr_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
audit augenrules 64-bit lremovexattr
oval:ssg-test_64bit_ardm_lremovexattr_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_lremovexattr_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit lremovexattr
oval:ssg-test_32bit_ardm_lremovexattr_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_lremovexattr_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
audit auditctl 64-bit lremovexattr
oval:ssg-test_64bit_ardm_lremovexattr_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_lremovexattr_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Record Events that Modify the System's Discretionary Access Controls - lsetxattrxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lsetxattr medium
Record Events that Modify the System's Discretionary Access Controls - lsetxattr
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lsetxattr |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_dac_modification_lsetxattr:def:1 |
| Time | 2021-11-16T20:08:36+00:00 |
| Severity | medium |
| Identifiers and References | References:
1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000130, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215, SRG-OS-000474-GPOS-00219, SRG-OS-000064-GPOS-00033, SRG-OS-000458-VMM-001810, SRG-OS-000474-VMM-001940 |
| Description | At a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following line to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod |
| Rationale | The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit lsetxattr
oval:ssg-test_32bit_ardm_lsetxattr_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_lsetxattr_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
audit augenrules 64-bit lsetxattr
oval:ssg-test_64bit_ardm_lsetxattr_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_lsetxattr_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit lsetxattr
oval:ssg-test_32bit_ardm_lsetxattr_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_lsetxattr_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
audit auditctl 64-bit lsetxattr
oval:ssg-test_64bit_ardm_lsetxattr_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_lsetxattr_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Record Events that Modify the System's Discretionary Access Controls - removexattrxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_removexattr medium
Record Events that Modify the System's Discretionary Access Controls - removexattr
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_removexattr |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_dac_modification_removexattr:def:1 |
| Time | 2021-11-16T20:08:36+00:00 |
| Severity | medium |
| Identifiers and References | References:
1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215, SRG-OS-000474-GPOS-00219, SRG-OS-000466-GPOS-00210, SRG-OS-000064-GPOS-00033, SRG-OS-000458-VMM-001810, SRG-OS-000474-VMM-001940 |
| Description | At a minimum, the audit system should collect file permission
changes for all users and root.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add the
following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod |
| Rationale | The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit removexattr
oval:ssg-test_32bit_ardm_removexattr_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_removexattr_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
audit augenrules 64-bit removexattr
oval:ssg-test_64bit_ardm_removexattr_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_removexattr_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit removexattr
oval:ssg-test_32bit_ardm_removexattr_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_removexattr_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
audit auditctl 64-bit removexattr
oval:ssg-test_64bit_ardm_removexattr_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_removexattr_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Record Events that Modify the System's Discretionary Access Controls - setxattrxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_setxattr medium
Record Events that Modify the System's Discretionary Access Controls - setxattr
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_setxattr |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_dac_modification_setxattr:def:1 |
| Time | 2021-11-16T20:08:36+00:00 |
| Severity | medium |
| Identifiers and References | References:
1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000130, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000458-VMM-001810, SRG-OS-000474-VMM-001940 |
| Description | At a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following line to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod |
| Rationale | The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit setxattr
oval:ssg-test_32bit_ardm_setxattr_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_setxattr_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
audit augenrules 64-bit setxattr
oval:ssg-test_64bit_ardm_setxattr_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_setxattr_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit setxattr
oval:ssg-test_32bit_ardm_setxattr_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_setxattr_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
audit auditctl 64-bit setxattr
oval:ssg-test_64bit_ardm_setxattr_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_setxattr_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Record Any Attempts to Run chconxccdf_org.ssgproject.content_rule_audit_rules_execution_chcon medium
Record Any Attempts to Run chcon
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_execution_chcon |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_execution_chcon:def:1 |
| Time | 2021-11-16T20:08:36+00:00 |
| Severity | medium |
| Identifiers and References | References:
1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, FAU_GEN.1.1.c, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209, SRG-OS-000463-VMM-001850 |
| Description | At a minimum, the audit system should collect any execution attempt
of the chcon command for all users and root. If the auditd
daemon is configured to use the augenrules program to read audit rules
during daemon startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/chcon -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F path=/usr/bin/chcon -F auid>=1000 -F auid!=unset -F key=privileged |
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules chcon
oval:ssg-test_audit_rules_execution_chcon_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_execution_chcon_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/chcon[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl chcon
oval:ssg-test_audit_rules_execution_chcon_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_execution_chcon_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/chcon[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Record Any Attempts to Run restoreconxccdf_org.ssgproject.content_rule_audit_rules_execution_restorecon medium
Record Any Attempts to Run restorecon
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_execution_restorecon |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_execution_restorecon:def:1 |
| Time | 2021-11-16T20:08:36+00:00 |
| Severity | medium |
| Identifiers and References | References:
1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, FAU_GEN.1.1.c, SRG-OS-000392-GPOS-00172, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209, SRG-OS-000463-VMM-001850 |
| Description | At a minimum, the audit system should collect any execution attempt
of the restorecon command for all users and root. If the auditd
daemon is configured to use the augenrules program to read audit rules
during daemon startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/restorecon -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F path=/usr/sbin/restorecon -F auid>=1000 -F auid!=unset -F key=privileged |
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules restorecon
oval:ssg-test_audit_rules_execution_restorecon_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_execution_restorecon_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/restorecon[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl restorecon
oval:ssg-test_audit_rules_execution_restorecon_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_execution_restorecon_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/restorecon[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Record Any Attempts to Run semanagexccdf_org.ssgproject.content_rule_audit_rules_execution_semanage medium
Record Any Attempts to Run semanage
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_execution_semanage |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_execution_semanage:def:1 |
| Time | 2021-11-16T20:08:36+00:00 |
| Severity | medium |
| Identifiers and References | References:
1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, CIP-004-3 R2.2.2, CIP-004-3 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, FAU_GEN.1.1.c, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209, SRG-OS-000463-VMM-001850 |
| Description | At a minimum, the audit system should collect any execution attempt
of the semanage command for all users and root. If the auditd
daemon is configured to use the augenrules program to read audit rules
during daemon startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/semanage -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F path=/usr/sbin/semanage -F auid>=1000 -F auid!=unset -F key=privileged |
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules semanage
oval:ssg-test_audit_rules_execution_semanage_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_execution_semanage_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/semanage[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl semanage
oval:ssg-test_audit_rules_execution_semanage_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_execution_semanage_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/semanage[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Record Any Attempts to Run setseboolxccdf_org.ssgproject.content_rule_audit_rules_execution_setsebool medium
Record Any Attempts to Run setsebool
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_execution_setsebool |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_execution_setsebool:def:1 |
| Time | 2021-11-16T20:08:36+00:00 |
| Severity | medium |
| Identifiers and References | References:
1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, FAU_GEN.1.1.c, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209, SRG-OS-000463-VMM-001850 |
| Description | At a minimum, the audit system should collect any execution attempt
of the setsebool command for all users and root. If the auditd
daemon is configured to use the augenrules program to read audit rules
during daemon startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/setsebool -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F path=/usr/sbin/setsebool -F auid>=1000 -F auid!=unset -F key=privileged |
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules setsebool
oval:ssg-test_audit_rules_execution_setsebool_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_execution_setsebool_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/setsebool[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl setsebool
oval:ssg-test_audit_rules_execution_setsebool_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_execution_setsebool_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/setsebool[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Record Any Attempts to Run seunsharexccdf_org.ssgproject.content_rule_audit_rules_execution_seunshare medium
Record Any Attempts to Run seunshare
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_execution_seunshare |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_execution_seunshare:def:1 |
| Time | 2021-11-16T20:08:36+00:00 |
| Severity | medium |
| Identifiers and References | References:
CCI-000172, AU-2(d), AU-12(c), AC-6(9), CM-6(a), FAU_GEN.1.1.c, SRG-OS-000463-VMM-001850 |
| Description | At a minimum, the audit system should collect any execution attempt
of the seunshare command for all users and root. If the auditd
daemon is configured to use the augenrules program to read audit rules
during daemon startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/seunshare -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F path=/usr/sbin/seunshare -F auid>=1000 -F auid!=unset -F key=privileged |
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules seunshare
oval:ssg-test_audit_rules_execution_seunshare_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_execution_seunshare_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/seunshare[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl seunshare
oval:ssg-test_audit_rules_execution_seunshare_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_execution_seunshare_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/seunshare[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Ensure auditd Collects File Deletion Events by User - renamexccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rename medium
Ensure auditd Collects File Deletion Events by User - rename
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rename |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_file_deletion_events_rename:def:1 |
| Time | 2021-11-16T20:08:36+00:00 |
| Severity | medium |
| Identifiers and References | References:
1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000169, CCI-000172, CCI-000366, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.4, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.1.1, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.MA-2, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.7, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212, SRG-OS-000466-VMM-001870, SRG-OS-000468-VMM-001890 |
| Description | At a minimum, the audit system should collect file deletion events
for all users and root. If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete |
| Rationale | Auditing file deletions will create an audit trail for files that are removed
from the system. The audit trail could aid in system troubleshooting, as well as, detecting
malicious processes that attempt to delete log files to conceal their presence. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit rename
oval:ssg-test_32bit_ardm_rename_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_rename_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
audit augenrules 64-bit rename
oval:ssg-test_64bit_ardm_rename_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_rename_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit rename
oval:ssg-test_32bit_ardm_rename_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_rename_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
audit auditctl 64-bit rename
oval:ssg-test_64bit_ardm_rename_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_rename_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Ensure auditd Collects File Deletion Events by User - renameatxccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_renameat medium
Ensure auditd Collects File Deletion Events by User - renameat
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_renameat |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_file_deletion_events_renameat:def:1 |
| Time | 2021-11-16T20:08:36+00:00 |
| Severity | medium |
| Identifiers and References | References:
1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000169, CCI-000172, CCI-000366, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.4, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.1.1, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.MA-2, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.7, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212, SRG-OS-000466-VMM-001870, SRG-OS-000468-VMM-001890 |
| Description | At a minimum, the audit system should collect file deletion events
for all users and root. If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete |
| Rationale | Auditing file deletions will create an audit trail for files that are removed
from the system. The audit trail could aid in system troubleshooting, as well as, detecting
malicious processes that attempt to delete log files to conceal their presence. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit renameat
oval:ssg-test_32bit_ardm_renameat_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_renameat_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
audit augenrules 64-bit renameat
oval:ssg-test_64bit_ardm_renameat_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_renameat_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit renameat
oval:ssg-test_32bit_ardm_renameat_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_renameat_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
audit auditctl 64-bit renameat
oval:ssg-test_64bit_ardm_renameat_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_renameat_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Ensure auditd Collects File Deletion Events by User - rmdirxccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rmdir medium
Ensure auditd Collects File Deletion Events by User - rmdir
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rmdir |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_file_deletion_events_rmdir:def:1 |
| Time | 2021-11-16T20:08:36+00:00 |
| Severity | medium |
| Identifiers and References | References:
1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000169, CCI-000172, CCI-000366, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.4, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.1.1, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.MA-2, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.7, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212, SRG-OS-000466-VMM-001870, SRG-OS-000468-VMM-001890 |
| Description | At a minimum, the audit system should collect file deletion events
for all users and root. If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete |
| Rationale | Auditing file deletions will create an audit trail for files that are removed
from the system. The audit trail could aid in system troubleshooting, as well as, detecting
malicious processes that attempt to delete log files to conceal their presence. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit rmdir
oval:ssg-test_32bit_ardm_rmdir_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_rmdir_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+rmdir[\s]+|([\s]+|[,])rmdir([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
audit augenrules 64-bit rmdir
oval:ssg-test_64bit_ardm_rmdir_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_rmdir_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+rmdir[\s]+|([\s]+|[,])rmdir([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit rmdir
oval:ssg-test_32bit_ardm_rmdir_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_rmdir_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+rmdir[\s]+|([\s]+|[,])rmdir([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
audit auditctl 64-bit rmdir
oval:ssg-test_64bit_ardm_rmdir_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_rmdir_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+rmdir[\s]+|([\s]+|[,])rmdir([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Ensure auditd Collects File Deletion Events by User - unlinkxccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlink medium
Ensure auditd Collects File Deletion Events by User - unlink
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlink |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_file_deletion_events_unlink:def:1 |
| Time | 2021-11-16T20:08:36+00:00 |
| Severity | medium |
| Identifiers and References | References:
1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000169, CCI-000172, CCI-000366, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.4, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.1.1, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.MA-2, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.7, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212, SRG-OS-000466-VMM-001870, SRG-OS-000468-VMM-001890 |
| Description | At a minimum, the audit system should collect file deletion events
for all users and root. If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete |
| Rationale | Auditing file deletions will create an audit trail for files that are removed
from the system. The audit trail could aid in system troubleshooting, as well as, detecting
malicious processes that attempt to delete log files to conceal their presence. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit unlink
oval:ssg-test_32bit_ardm_unlink_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_unlink_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
audit augenrules 64-bit unlink
oval:ssg-test_64bit_ardm_unlink_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_unlink_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit unlink
oval:ssg-test_32bit_ardm_unlink_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_unlink_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
audit auditctl 64-bit unlink
oval:ssg-test_64bit_ardm_unlink_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_unlink_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Ensure auditd Collects File Deletion Events by User - unlinkatxccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlinkat medium
Ensure auditd Collects File Deletion Events by User - unlinkat
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlinkat |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_file_deletion_events_unlinkat:def:1 |
| Time | 2021-11-16T20:08:36+00:00 |
| Severity | medium |
| Identifiers and References | References:
1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000169, CCI-000172, CCI-000366, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.4, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.1.1, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.MA-2, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.7, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212, SRG-OS-000466-VMM-001870, SRG-OS-000468-VMM-001890 |
| Description | At a minimum, the audit system should collect file deletion events
for all users and root. If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete |
| Rationale | Auditing file deletions will create an audit trail for files that are removed
from the system. The audit trail could aid in system troubleshooting, as well as, detecting
malicious processes that attempt to delete log files to conceal their presence. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit unlinkat
oval:ssg-test_32bit_ardm_unlinkat_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_unlinkat_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
audit augenrules 64-bit unlinkat
oval:ssg-test_64bit_ardm_unlinkat_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_unlinkat_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit unlinkat
oval:ssg-test_32bit_ardm_unlinkat_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_unlinkat_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
audit auditctl 64-bit unlinkat
oval:ssg-test_64bit_ardm_unlinkat_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_unlinkat_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Record Unsuccessul Permission Changes to Files - chmodxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_chmod medium
Record Unsuccessul Permission Changes to Files - chmod
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_chmod |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_unsuccessful_file_modification_chmod:def:1 |
| Time | 2021-11-16T20:08:36+00:00 |
| Severity | medium |
| Identifiers and References | References:
CCI-000172, AU-2(d), AU-12(c), CM-6(a), SRG-OS-000458-VMM-001810, SRG-OS-000461-VMM-001830 |
| Description | The audit system should collect unsuccessful file permission change
attempts for all users and root.
If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S chmod -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-a always,exit -F arch=b32 -S chmod -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S chmod -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-a always,exit -F arch=b64 -S chmod -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change |
| Rationale | Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the audit rule checks a
system call independently of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_chmod_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_chmod_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit augenrules 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_chmod_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_chmod_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
audit augenrules 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_chmod_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_chmod_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit augenrules 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_chmod_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_chmod_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_chmod_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_chmod_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* |
| /etc/audit/audit.rules | 1 |
audit auditctl 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_chmod_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_chmod_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* |
| /etc/audit/audit.rules | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
audit auditctl 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_chmod_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_chmod_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* |
| /etc/audit/audit.rules | 1 |
audit auditctl 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_chmod_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_chmod_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* |
| /etc/audit/audit.rules | 1 |
Record Unsuccessul Ownership Changes to Files - chownxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_chown medium
Record Unsuccessul Ownership Changes to Files - chown
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_chown |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_unsuccessful_file_modification_chown:def:1 |
| Time | 2021-11-16T20:08:36+00:00 |
| Severity | medium |
| Identifiers and References | References:
CCI-000172, AU-2(d), AU-12(c), CM-6(a), SRG-OS-000458-VMM-001810, SRG-OS-000461-VMM-001830 |
| Description | The audit system should collect unsuccessful file ownership change
attempts for all users and root.
If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S chown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-a always,exit -F arch=b32 -S chown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S chown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-a always,exit -F arch=b64 -S chown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change |
| Rationale | Unsuccessful attempts to change ownership of files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the audit rule checks a
system call independently of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_chown_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_chown_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit augenrules 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_chown_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_chown_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
audit augenrules 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_chown_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_chown_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit augenrules 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_chown_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_chown_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_chown_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_chown_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* |
| /etc/audit/audit.rules | 1 |
audit auditctl 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_chown_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_chown_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* |
| /etc/audit/audit.rules | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
audit auditctl 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_chown_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_chown_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* |
| /etc/audit/audit.rules | 1 |
audit auditctl 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_chown_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_chown_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* |
| /etc/audit/audit.rules | 1 |
Record Unsuccessful Access Attempts to Files - creatxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_creat medium
Record Unsuccessful Access Attempts to Files - creat
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_creat |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_unsuccessful_file_modification_creat:def:1 |
| Time | 2021-11-16T20:08:36+00:00 |
| Severity | medium |
| Identifiers and References | References:
1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.4, Req-10.2.1, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000458-VMM-001810, SRG-OS-000461-VMM-001830 |
| Description | At a minimum, the audit system should collect unauthorized file
accesses for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access |
| Rationale | Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_creat_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_creat_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit augenrules 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_creat_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_creat_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
audit augenrules 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_creat_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_creat_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit augenrules 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_creat_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_creat_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_creat_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_creat_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* |
| /etc/audit/audit.rules | 1 |
audit auditctl 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_creat_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_creat_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* |
| /etc/audit/audit.rules | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
audit auditctl 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_creat_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_creat_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* |
| /etc/audit/audit.rules | 1 |
audit auditctl 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_creat_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_creat_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* |
| /etc/audit/audit.rules | 1 |
Record Unsuccessul Permission Changes to Files - fchmodxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_fchmod medium
Record Unsuccessul Permission Changes to Files - fchmod
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_fchmod |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_unsuccessful_file_modification_fchmod:def:1 |
| Time | 2021-11-16T20:08:36+00:00 |
| Severity | medium |
| Identifiers and References | References:
CCI-000172, AU-2(d), AU-12(c), CM-6(a), SRG-OS-000458-VMM-001810, SRG-OS-000461-VMM-001830 |
| Description | The audit system should collect unsuccessful file permission change
attempts for all users and root.
If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S fchmod -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-a always,exit -F arch=b32 -S fchmod -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S fchmod -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-a always,exit -F arch=b64 -S fchmod -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change |
| Rationale | Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the audit rule checks a
system call independently of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_fchmod_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_fchmod_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit augenrules 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_fchmod_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_fchmod_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
audit augenrules 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_fchmod_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_fchmod_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit augenrules 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_fchmod_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_fchmod_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_fchmod_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_fchmod_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
audit auditctl 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_fchmod_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_fchmod_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
audit auditctl 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_fchmod_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_fchmod_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
audit auditctl 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_fchmod_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_fchmod_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
Record Unsuccessul Permission Changes to Files - fchmodatxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_fchmodat medium
Record Unsuccessul Permission Changes to Files - fchmodat
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_fchmodat |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_unsuccessful_file_modification_fchmodat:def:1 |
| Time | 2021-11-16T20:08:36+00:00 |
| Severity | medium |
| Identifiers and References | References:
CCI-000172, AU-2(d), AU-12(c), CM-6(a), SRG-OS-000458-VMM-001810, SRG-OS-000461-VMM-001830 |
| Description | The audit system should collect unsuccessful file permission change
attempts for all users and root.
If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S fchmodat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-a always,exit -F arch=b32 -S fchmodat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S fchmodat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-a always,exit -F arch=b64 -S fchmodat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change |
| Rationale | Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the audit rule checks a
system call independently of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_fchmodat_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_fchmodat_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit augenrules 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_fchmodat_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_fchmodat_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
audit augenrules 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_fchmodat_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_fchmodat_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit augenrules 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_fchmodat_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_fchmodat_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_fchmodat_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_fchmodat_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
audit auditctl 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_fchmodat_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_fchmodat_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
audit auditctl 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_fchmodat_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_fchmodat_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
audit auditctl 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_fchmodat_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_fchmodat_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
Record Unsuccessul Ownership Changes to Files - fchownxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_fchown medium
Record Unsuccessul Ownership Changes to Files - fchown
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_fchown |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_unsuccessful_file_modification_fchown:def:1 |
| Time | 2021-11-16T20:08:36+00:00 |
| Severity | medium |
| Identifiers and References | References:
CCI-000172, AU-2(d), AU-12(c), CM-6(a), SRG-OS-000458-VMM-001810, SRG-OS-000461-VMM-001830 |
| Description | The audit system should collect unsuccessful file ownership change
attempts for all users and root.
If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S fchown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-a always,exit -F arch=b32 -S fchown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S fchown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-a always,exit -F arch=b64 -S fchown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change |
| Rationale | Unsuccessful attempts to change ownership of files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the audit rule checks a
system call independently of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_fchown_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_fchown_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit augenrules 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_fchown_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_fchown_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
audit augenrules 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_fchown_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_fchown_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit augenrules 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_fchown_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_fchown_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_fchown_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_fchown_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
audit auditctl 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_fchown_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_fchown_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
audit auditctl 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_fchown_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_fchown_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
audit auditctl 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_fchown_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_fchown_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
Record Unsuccessul Ownership Changes to Files - fchownatxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_fchownat medium
Record Unsuccessul Ownership Changes to Files - fchownat
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_fchownat |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_unsuccessful_file_modification_fchownat:def:1 |
| Time | 2021-11-16T20:08:36+00:00 |
| Severity | medium |
| Identifiers and References | References:
CCI-000172, AU-2(d), AU-12(c), CM-6(a), SRG-OS-000458-VMM-001810, SRG-OS-000461-VMM-001830 |
| Description | The audit system should collect unsuccessful file ownership change
attempts for all users and root.
If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-a always,exit -F arch=b32 -S fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-a always,exit -F arch=b64 -S fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change |
| Rationale | Unsuccessful attempts to change ownership of files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the audit rule checks a
system call independently of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_fchownat_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_fchownat_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit augenrules 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_fchownat_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_fchownat_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
audit augenrules 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_fchownat_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_fchownat_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit augenrules 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_fchownat_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_fchownat_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_fchownat_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_fchownat_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
audit auditctl 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_fchownat_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_fchownat_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
audit auditctl 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_fchownat_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_fchownat_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
audit auditctl 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_fchownat_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_fchownat_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
Record Unsuccessul Permission Changes to Files - fremovexattrxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_fremovexattr medium
Record Unsuccessul Permission Changes to Files - fremovexattr
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_fremovexattr |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_unsuccessful_file_modification_fremovexattr:def:1 |
| Time | 2021-11-16T20:08:36+00:00 |
| Severity | medium |
| Identifiers and References | References:
CCI-000172, AU-2(d), AU-12(c), CM-6(a), SRG-OS-000458-VMM-001810, SRG-OS-000461-VMM-001830 |
| Description | The audit system should collect unsuccessful file permission change
attempts for all users and root.
If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-a always,exit -F arch=b32 -S fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-a always,exit -F arch=b64 -S fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change |
| Rationale | Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the audit rule checks a
system call independently of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_fremovexattr_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_fremovexattr_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit augenrules 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_fremovexattr_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_fremovexattr_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
audit augenrules 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_fremovexattr_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_fremovexattr_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit augenrules 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_fremovexattr_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_fremovexattr_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_fremovexattr_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_fremovexattr_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
audit auditctl 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_fremovexattr_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_fremovexattr_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
audit auditctl 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_fremovexattr_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_fremovexattr_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
audit auditctl 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_fremovexattr_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_fremovexattr_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
Record Unsuccessul Permission Changes to Files - fsetxattrxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_fsetxattr medium
Record Unsuccessul Permission Changes to Files - fsetxattr
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_fsetxattr |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_unsuccessful_file_modification_fsetxattr:def:1 |
| Time | 2021-11-16T20:08:36+00:00 |
| Severity | medium |
| Identifiers and References | References:
CCI-000172, AU-2(d), AU-12(c), CM-6(a), SRG-OS-000458-VMM-001810, SRG-OS-000461-VMM-001830 |
| Description | The audit system should collect unsuccessful file permission change
attempts for all users and root.
If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-a always,exit -F arch=b32 -S fsetxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-a always,exit -F arch=b64 -S fsetxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change |
| Rationale | Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the audit rule checks a
system call independently of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_fsetxattr_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_fsetxattr_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit augenrules 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_fsetxattr_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_fsetxattr_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
audit augenrules 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_fsetxattr_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_fsetxattr_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit augenrules 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_fsetxattr_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_fsetxattr_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_fsetxattr_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_fsetxattr_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
audit auditctl 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_fsetxattr_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_fsetxattr_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
audit auditctl 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_fsetxattr_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_fsetxattr_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
audit auditctl 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_fsetxattr_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_fsetxattr_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
Record Unsuccessful Access Attempts to Files - ftruncatexccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_ftruncate medium
Record Unsuccessful Access Attempts to Files - ftruncate
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_ftruncate |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_unsuccessful_file_modification_ftruncate:def:1 |
| Time | 2021-11-16T20:08:36+00:00 |
| Severity | medium |
| Identifiers and References | References:
1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.4, Req-10.2.1, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000458-VMM-001810, SRG-OS-000461-VMM-001830 |
| Description | At a minimum, the audit system should collect unauthorized file
accesses for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S ftruncate -F exiu=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access |
| Rationale | Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_ftruncate_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_ftruncate_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit augenrules 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_ftruncate_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_ftruncate_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
audit augenrules 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_ftruncate_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_ftruncate_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit augenrules 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_ftruncate_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_ftruncate_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_ftruncate_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_ftruncate_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
audit auditctl 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_ftruncate_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_ftruncate_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
audit auditctl 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_ftruncate_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_ftruncate_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
audit auditctl 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_ftruncate_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_ftruncate_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
Record Unsuccessul Ownership Changes to Files - lchownxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_lchown medium
Record Unsuccessul Ownership Changes to Files - lchown
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_lchown |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_unsuccessful_file_modification_lchown:def:1 |
| Time | 2021-11-16T20:08:36+00:00 |
| Severity | medium |
| Identifiers and References | References:
CCI-000172, AU-2(d), AU-12(c), CM-6(a), SRG-OS-000458-VMM-001810, SRG-OS-000461-VMM-001830 |
| Description | The audit system should collect unsuccessful file ownership change
attempts for all users and root.
If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S lchown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-a always,exit -F arch=b32 -S lchown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S lchown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-a always,exit -F arch=b64 -S lchown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change |
| Rationale | Unsuccessful attempts to change ownership of files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the audit rule checks a
system call independently of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_lchown_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_lchown_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit augenrules 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_lchown_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_lchown_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
audit augenrules 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_lchown_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_lchown_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit augenrules 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_lchown_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_lchown_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_lchown_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_lchown_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
audit auditctl 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_lchown_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_lchown_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
audit auditctl 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_lchown_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_lchown_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
audit auditctl 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_lchown_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_lchown_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
Record Unsuccessul Permission Changes to Files - lremovexattrxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_lremovexattr medium
Record Unsuccessul Permission Changes to Files - lremovexattr
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_lremovexattr |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_unsuccessful_file_modification_lremovexattr:def:1 |
| Time | 2021-11-16T20:08:36+00:00 |
| Severity | medium |
| Identifiers and References | References:
CCI-000172, AU-2(d), AU-12(c), CM-6(a), SRG-OS-000458-VMM-001810, SRG-OS-000461-VMM-001830 |
| Description | The audit system should collect unsuccessful file permission change
attempts for all users and root.
If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S lremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-a always,exit -F arch=b32 -S lremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S lremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-a always,exit -F arch=b64 -S lremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change |
| Rationale | Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the audit rule checks a
system call independently of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_lremovexattr_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_lremovexattr_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit augenrules 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_lremovexattr_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_lremovexattr_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
audit augenrules 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_lremovexattr_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_lremovexattr_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit augenrules 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_lremovexattr_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_lremovexattr_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_lremovexattr_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_lremovexattr_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
audit auditctl 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_lremovexattr_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_lremovexattr_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
audit auditctl 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_lremovexattr_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_lremovexattr_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
audit auditctl 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_lremovexattr_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_lremovexattr_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
Record Unsuccessul Permission Changes to Files - lsetxattrxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_lsetxattr medium
Record Unsuccessul Permission Changes to Files - lsetxattr
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_lsetxattr |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_unsuccessful_file_modification_lsetxattr:def:1 |
| Time | 2021-11-16T20:08:36+00:00 |
| Severity | medium |
| Identifiers and References | References:
CCI-000172, AU-2(d), AU-12(c), CM-6(a), SRG-OS-000458-VMM-001810, SRG-OS-000461-VMM-001830 |
| Description | The audit system should collect unsuccessful file permission change
attempts for all users and root.
If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S lsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-a always,exit -F arch=b32 -S lsetxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S lsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-a always,exit -F arch=b64 -S lsetxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change |
| Rationale | Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the audit rule checks a
system call independently of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_lsetxattr_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_lsetxattr_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit augenrules 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_lsetxattr_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_lsetxattr_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
audit augenrules 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_lsetxattr_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_lsetxattr_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit augenrules 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_lsetxattr_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_lsetxattr_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_lsetxattr_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_lsetxattr_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
audit auditctl 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_lsetxattr_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_lsetxattr_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
audit auditctl 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_lsetxattr_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_lsetxattr_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
audit auditctl 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_lsetxattr_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_lsetxattr_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
Record Unsuccessful Access Attempts to Files - openxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open medium
Record Unsuccessful Access Attempts to Files - open
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_unsuccessful_file_modification_open:def:1 |
| Time | 2021-11-16T20:08:36+00:00 |
| Severity | medium |
| Identifiers and References | References:
1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.4, Req-10.2.1, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000458-VMM-001810, SRG-OS-000461-VMM-001830 |
| Description | At a minimum, the audit system should collect unauthorized file
accesses for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access |
| Rationale | Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_open_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_open_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit augenrules 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_open_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_open_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
audit augenrules 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_open_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_open_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit augenrules 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_open_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_open_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_open_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_open_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
audit auditctl 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_open_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_open_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
audit auditctl 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_open_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_open_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
audit auditctl 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_open_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_open_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
Record Unsuccessful Access Attempts to Files - open_by_handle_atxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_by_handle_at medium
Record Unsuccessful Access Attempts to Files - open_by_handle_at
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_by_handle_at |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at:def:1 |
| Time | 2021-11-16T20:08:36+00:00 |
| Severity | medium |
| Identifiers and References | References:
1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.4, Req-10.2.1, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000458-VMM-001810, SRG-OS-000461-VMM-001830 |
| Description | At a minimum, the audit system should collect unauthorized file
accesses for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access |
| Rationale | Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_open_by_handle_at_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_open_by_handle_at_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit augenrules 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_open_by_handle_at_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_open_by_handle_at_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
audit augenrules 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_open_by_handle_at_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_open_by_handle_at_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit augenrules 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_open_by_handle_at_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_open_by_handle_at_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_open_by_handle_at_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_open_by_handle_at_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
audit auditctl 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_open_by_handle_at_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_open_by_handle_at_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
audit auditctl 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_open_by_handle_at_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_open_by_handle_at_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
audit auditctl 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_open_by_handle_at_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_open_by_handle_at_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
Record Unsuccessful Creation Attempts to Files - open_by_handle_at O_CREATxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_by_handle_at_o_creat medium
Record Unsuccessful Creation Attempts to Files - open_by_handle_at O_CREAT
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_by_handle_at_o_creat |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at_o_creat:def:1 |
| Time | 2021-11-16T20:08:36+00:00 |
| Severity | medium |
| Identifiers and References | References:
1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.4, Req-10.2.1, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172, SRG-OS-000458-VMM-001810, SRG-OS-000461-VMM-001830 |
| Description | The audit system should collect unauthorized file accesses for
all users and root. The open_by_handle_at syscall can be used to create new files
when O_CREAT flag is specified.
The following auidt rules will asure that unsuccessful attempts to create a
file via open_by_handle_at syscall are collected.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add the
rules below to a file with suffix .rules in the directory
/etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the rules below to
/etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b32 -S open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b64 -S open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
|
| Rationale | Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create |
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
defined audit rule must exist
oval:ssg-test_arufm_open_by_handle_at_o_creat_32bit_a20100_eacces_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_open_by_handle_at_o_creat_32bit_a20100_eacces_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
defined audit rule must exist
oval:ssg-test_arufm_open_by_handle_at_o_creat_32bit_a20100_eperm_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_open_by_handle_at_o_creat_32bit_a20100_eperm_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
defined audit rule must exist
oval:ssg-test_arufm_open_by_handle_at_o_creat_64bit_a20100_eacces_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_open_by_handle_at_o_creat_64bit_a20100_eacces_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
defined audit rule must exist
oval:ssg-test_arufm_open_by_handle_at_o_creat_64bit_a20100_eperm_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_open_by_handle_at_o_creat_64bit_a20100_eperm_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
defined audit rule must exist
oval:ssg-test_arufm_open_by_handle_at_o_creat_32bit_a20100_eacces_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_open_by_handle_at_o_creat_32bit_a20100_eacces_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
defined audit rule must exist
oval:ssg-test_arufm_open_by_handle_at_o_creat_32bit_a20100_eperm_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_open_by_handle_at_o_creat_32bit_a20100_eperm_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
defined audit rule must exist
oval:ssg-test_arufm_open_by_handle_at_o_creat_64bit_a20100_eacces_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_open_by_handle_at_o_creat_64bit_a20100_eacces_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
defined audit rule must exist
oval:ssg-test_arufm_open_by_handle_at_o_creat_64bit_a20100_eperm_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_open_by_handle_at_o_creat_64bit_a20100_eperm_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
Record Unsuccessful Modification Attempts to Files - open_by_handle_at O_TRUNC_WRITExccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_by_handle_at_o_trunc_write medium
Record Unsuccessful Modification Attempts to Files - open_by_handle_at O_TRUNC_WRITE
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_by_handle_at_o_trunc_write |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at_o_trunc_write:def:1 |
| Time | 2021-11-16T20:08:36+00:00 |
| Severity | medium |
| Identifiers and References | References:
1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.4, Req-10.2.1, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172, SRG-OS-000458-VMM-001810, SRG-OS-000461-VMM-001830 |
| Description | The audit system should collect detailed unauthorized file accesses for
all users and root. The open_by_handle_at syscall can be used to modify files
if called for write operation of with O_TRUNC_WRITE flag.
The following auidt rules will asure that unsuccessful attempts to modify a
file via open_by_handle_at syscall are collected.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add the
rules below to a file with suffix .rules in the directory
/etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the rules below to
/etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b32 -S open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b64 -S open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
|
| Rationale | Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification |
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
defined audit rule must exist
oval:ssg-test_arufm_open_by_handle_at_o_trunc_32bit_a201003_eacces_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_open_by_handle_at_o_trunc_32bit_a201003_eacces_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
defined audit rule must exist
oval:ssg-test_arufm_open_by_handle_at_o_trunc_32bit_a201003_eperm_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_open_by_handle_at_o_trunc_32bit_a201003_eperm_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
defined audit rule must exist
oval:ssg-test_arufm_open_by_handle_at_o_trunc_64bit_a201003_eacces_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_open_by_handle_at_o_trunc_64bit_a201003_eacces_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
defined audit rule must exist
oval:ssg-test_arufm_open_by_handle_at_o_trunc_64bit_a201003_eperm_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_open_by_handle_at_o_trunc_64bit_a201003_eperm_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
defined audit rule must exist
oval:ssg-test_arufm_open_by_handle_at_o_trunc_32bit_a201003_eacces_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_open_by_handle_at_o_trunc_32bit_a201003_eacces_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
defined audit rule must exist
oval:ssg-test_arufm_open_by_handle_at_o_trunc_32bit_a201003_eperm_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_open_by_handle_at_o_trunc_32bit_a201003_eperm_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
defined audit rule must exist
oval:ssg-test_arufm_open_by_handle_at_o_trunc_64bit_a201003_eacces_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_open_by_handle_at_o_trunc_64bit_a201003_eacces_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
defined audit rule must exist
oval:ssg-test_arufm_open_by_handle_at_o_trunc_64bit_a201003_eperm_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_open_by_handle_at_o_trunc_64bit_a201003_eperm_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
Ensure auditd Unauthorized Access Attempts To open_by_handle_at Are Ordered Correctlyxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_by_handle_at_rule_order medium
Ensure auditd Unauthorized Access Attempts To open_by_handle_at Are Ordered Correctly
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_by_handle_at_rule_order |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at_rule_order:def:1 |
| Time | 2021-11-16T20:08:36+00:00 |
| Severity | medium |
| Identifiers and References | References:
1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.4, Req-10.2.1, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172, SRG-OS-000458-VMM-001810, SRG-OS-000461-VMM-001830 |
| Description | The audit system should collect detailed unauthorized file
accesses for all users and root.
To correctly identify unsuccessful creation, unsuccessful modification and unsuccessful access
of files via open_by_handle_at syscall the audit rules collecting these events need to be in certain order.
The more specific rules need to come before the less specific rules. The reason for that is that more
specific rules cover a subset of events covered in the less specific rules, thus, they need to come
before to not be overshadowed by less specific rules, which match a bigger set of events.
Make sure that rules for unsuccessful calls of open_by_handle_at syscall are in the order shown below.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), check the order of
rules below in a file with suffix .rules in the directory
/etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, check the order of rules below in
/etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b32 -S open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b32 -S open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b32 -S open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b64 -S open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b64 -S open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b64 -S open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
|
| Rationale | The more specific rules cover a subset of events covered by the less specific rules.
By ordering them from more specific to less specific, it is assured that the less specific
rule will not catch events better recorded by the more specific rule. |
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
defined audit rule must exist
oval:ssg-test_arufm_open_by_handle_at_order_32bit_eacces_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_open_by_handle_at_order_32bit_eacces_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | Referenced variable has no values (oval:ssg-var_arufm_rule_order_32bit_open_by_handle_at_eacces_aug | ^/etc/audit/rules\.d/.*\.rules$ | 1 |
defined audit rule must exist
oval:ssg-test_arufm_open_by_handle_at_order_32bit_eperm_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_open_by_handle_at_order_32bit_eperm_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | Referenced variable has no values (oval:ssg-var_arufm_rule_order_32bit_open_by_handle_at_eperm_auge | ^/etc/audit/rules\.d/.*\.rules$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
defined audit rule must exist
oval:ssg-test_arufm_open_by_handle_at_order_64bit_eacces_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_open_by_handle_at_order_64bit_eacces_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | Referenced variable has no values (oval:ssg-var_arufm_rule_order_64bit_open_by_handle_at_eacces_aug | ^/etc/audit/rules\.d/.*\.rules$ | 1 |
defined audit rule must exist
oval:ssg-test_arufm_open_by_handle_at_order_64bit_eperm_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_open_by_handle_at_order_64bit_eperm_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | Referenced variable has no values (oval:ssg-var_arufm_rule_order_64bit_open_by_handle_at_eperm_auge | ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
defined audit rule must exist
oval:ssg-test_arufm_open_by_handle_at_order_32bit_eacces_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_open_by_handle_at_order_32bit_eacces_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | Referenced variable has no values (oval:ssg-var_arufm_rule_order_32bit_open_by_handle_at_auditctl_e | ^/etc/audit/rules\.d/.*\.rules$ | 1 |
Test order of audit 32bit auditctl eperm rules order
oval:ssg-test_arufm_open_by_handle_at_order_32bit_eperm_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_open_by_handle_at_order_32bit_eperm_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | Referenced variable has no values (oval:ssg-var_arufm_rule_order_32bit_open_by_handle_at_auditctl_e | ^/etc/audit/rules\.d/.*\.rules$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
defined audit rule must exist
oval:ssg-test_arufm_open_by_handle_at_order_64bit_eacces_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_open_by_handle_at_order_64bit_eacces_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | Referenced variable has no values (oval:ssg-var_arufm_open_by_handle_at_order_64bit_auditctl_eacces | ^/etc/audit/rules\.d/.*\.rules$ | 1 |
defined audit rule must exist
oval:ssg-test_arufm_open_by_handle_at_order_64bit_eperm_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_open_by_handle_at_order_64bit_eperm_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | Referenced variable has no values (oval:ssg-var_arufm_rule_order_64bit_open_by_handle_at_auditctl_e | ^/etc/audit/rules\.d/.*\.rules$ | 1 |
Record Unsuccessful Creation Attempts to Files - open O_CREATxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_o_creat medium
Record Unsuccessful Creation Attempts to Files - open O_CREAT
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_o_creat |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_unsuccessful_file_modification_open_o_creat:def:1 |
| Time | 2021-11-16T20:08:36+00:00 |
| Severity | medium |
| Identifiers and References | References:
1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.4, Req-10.2.1, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172, SRG-OS-000458-VMM-001810, SRG-OS-000461-VMM-001830 |
| Description | The audit system should collect unauthorized file accesses for
all users and root. The open syscall can be used to create new files
when O_CREAT flag is specified.
The following auidt rules will asure that unsuccessful attempts to create a
file via open syscall are collected.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add the
rules below to a file with suffix .rules in the directory
/etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the rules below to
/etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
|
| Rationale | Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create |
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
defined audit rule must exist
oval:ssg-test_arufm_open_o_creat_32bit_a20100_eacces_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_open_o_creat_32bit_a20100_eacces_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
defined audit rule must exist
oval:ssg-test_arufm_open_o_creat_32bit_a20100_eperm_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_open_o_creat_32bit_a20100_eperm_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
defined audit rule must exist
oval:ssg-test_arufm_open_o_creat_64bit_a20100_eacces_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_open_o_creat_64bit_a20100_eacces_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
defined audit rule must exist
oval:ssg-test_arufm_open_o_creat_64bit_a20100_eperm_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_open_o_creat_64bit_a20100_eperm_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
defined audit rule must exist
oval:ssg-test_arufm_open_o_creat_32bit_a20100_eacces_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_open_o_creat_32bit_a20100_eacces_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
defined audit rule must exist
oval:ssg-test_arufm_open_o_creat_32bit_a20100_eperm_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_open_o_creat_32bit_a20100_eperm_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
defined audit rule must exist
oval:ssg-test_arufm_open_o_creat_64bit_a20100_eacces_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_open_o_creat_64bit_a20100_eacces_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
defined audit rule must exist
oval:ssg-test_arufm_open_o_creat_64bit_a20100_eperm_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_open_o_creat_64bit_a20100_eperm_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
Record Unsuccessful Modification Attempts to Files - open O_TRUNC_WRITExccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_o_trunc_write medium
Record Unsuccessful Modification Attempts to Files - open O_TRUNC_WRITE
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_o_trunc_write |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_unsuccessful_file_modification_open_o_trunc_write:def:1 |
| Time | 2021-11-16T20:08:36+00:00 |
| Severity | medium |
| Identifiers and References | References:
1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.4, Req-10.2.1, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172, SRG-OS-000458-VMM-001810, SRG-OS-000461-VMM-001830 |
| Description | The audit system should collect detailed unauthorized file accesses for
all users and root. The open syscall can be used to modify files
if called for write operation of with O_TRUNC_WRITE flag.
The following auidt rules will asure that unsuccessful attempts to modify a
file via open syscall are collected.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add the
rules below to a file with suffix .rules in the directory
/etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the rules below to
/etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
|
| Rationale | Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification |
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
defined audit rule must exist
oval:ssg-test_arufm_open_o_trunc_32bit_a201003_eacces_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_open_o_trunc_32bit_a201003_eacces_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
defined audit rule must exist
oval:ssg-test_arufm_open_o_trunc_32bit_a201003_eperm_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_open_o_trunc_32bit_a201003_eperm_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
defined audit rule must exist
oval:ssg-test_arufm_open_o_trunc_64bit_a201003_eacces_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_open_o_trunc_64bit_a201003_eacces_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
defined audit rule must exist
oval:ssg-test_arufm_open_o_trunc_64bit_a201003_eperm_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_open_o_trunc_64bit_a201003_eperm_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
defined audit rule must exist
oval:ssg-test_arufm_open_o_trunc_32bit_a201003_eacces_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_open_o_trunc_32bit_a201003_eacces_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
defined audit rule must exist
oval:ssg-test_arufm_open_o_trunc_32bit_a201003_eperm_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_open_o_trunc_32bit_a201003_eperm_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
defined audit rule must exist
oval:ssg-test_arufm_open_o_trunc_64bit_a201003_eacces_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_open_o_trunc_64bit_a201003_eacces_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
defined audit rule must exist
oval:ssg-test_arufm_open_o_trunc_64bit_a201003_eperm_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_open_o_trunc_64bit_a201003_eperm_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
Ensure auditd Rules For Unauthorized Attempts To open Are Ordered Correctlyxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_rule_order medium
Ensure auditd Rules For Unauthorized Attempts To open Are Ordered Correctly
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_rule_order |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_unsuccessful_file_modification_open_rule_order:def:1 |
| Time | 2021-11-16T20:08:36+00:00 |
| Severity | medium |
| Identifiers and References | References:
1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.4, Req-10.2.1, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172, SRG-OS-000458-VMM-001810, SRG-OS-000461-VMM-001830 |
| Description | The audit system should collect detailed unauthorized file
accesses for all users and root.
To correctly identify unsuccessful creation, unsuccessful modification and unsuccessful access
of files via open syscall the audit rules collecting these events need to be in certain order.
The more specific rules need to come before the less specific rules. The reason for that is that more
specific rules cover a subset of events covered in the less specific rules, thus, they need to come
before to not be overshadowed by less specific rules, which match a bigger set of events.
Make sure that rules for unsuccessful calls of open syscall are in the order shown below.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), check the order of
rules below in a file with suffix .rules in the directory
/etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, check the order of rules below in
/etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
|
| Rationale | The more specific rules cover a subset of events covered by the less specific rules.
By ordering them from more specific to less specific, it is assured that the less specific
rule will not catch events better recorded by the more specific rule. |
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
defined audit rule must exist
oval:ssg-test_arufm_open_order_32bit_eacces_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_open_order_32bit_eacces_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | Referenced variable has no values (oval:ssg-var_arufm_rule_order_32bit_open_eacces_augenrules_regex | ^/etc/audit/rules\.d/.*\.rules$ | 1 |
defined audit rule must exist
oval:ssg-test_arufm_open_order_32bit_eperm_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_open_order_32bit_eperm_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | Referenced variable has no values (oval:ssg-var_arufm_rule_order_32bit_open_eperm_augenrules_regex: | ^/etc/audit/rules\.d/.*\.rules$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
defined audit rule must exist
oval:ssg-test_arufm_open_order_64bit_eacces_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_open_order_64bit_eacces_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | Referenced variable has no values (oval:ssg-var_arufm_rule_order_64bit_open_eacces_augenrules_regex | ^/etc/audit/rules\.d/.*\.rules$ | 1 |
defined audit rule must exist
oval:ssg-test_arufm_open_order_64bit_eperm_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_open_order_64bit_eperm_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | Referenced variable has no values (oval:ssg-var_arufm_rule_order_64bit_open_eperm_augenrules_regex: | ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
defined audit rule must exist
oval:ssg-test_arufm_open_order_32bit_eacces_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_open_order_32bit_eacces_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | Referenced variable has no values (oval:ssg-var_arufm_rule_order_32bit_open_auditctl_eacces_regex:v | ^/etc/audit/rules\.d/.*\.rules$ | 1 |
Test order of audit 32bit auditctl eperm rules order
oval:ssg-test_arufm_open_order_32bit_eperm_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_open_order_32bit_eperm_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | Referenced variable has no values (oval:ssg-var_arufm_rule_order_32bit_open_auditctl_eperm_regex:va | ^/etc/audit/rules\.d/.*\.rules$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
defined audit rule must exist
oval:ssg-test_arufm_open_order_64bit_eacces_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_open_order_64bit_eacces_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | Referenced variable has no values (oval:ssg-var_arufm_open_order_64bit_auditctl_eacces_regex:var:1) | ^/etc/audit/rules\.d/.*\.rules$ | 1 |
defined audit rule must exist
oval:ssg-test_arufm_open_order_64bit_eperm_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_open_order_64bit_eperm_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | Referenced variable has no values (oval:ssg-var_arufm_rule_order_64bit_open_auditctl_eperm_regex:va | ^/etc/audit/rules\.d/.*\.rules$ | 1 |
Record Unsuccessful Access Attempts to Files - openatxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_openat medium
Record Unsuccessful Access Attempts to Files - openat
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_openat |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_unsuccessful_file_modification_openat:def:1 |
| Time | 2021-11-16T20:08:36+00:00 |
| Severity | medium |
| Identifiers and References | References:
1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.4, Req-10.2.1, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000458-VMM-001810, SRG-OS-000461-VMM-001830 |
| Description | At a minimum, the audit system should collect unauthorized file
accesses for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access |
| Rationale | Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_openat_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_openat_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit augenrules 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_openat_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_openat_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
audit augenrules 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_openat_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_openat_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit augenrules 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_openat_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_openat_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_openat_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_openat_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
audit auditctl 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_openat_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_openat_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
audit auditctl 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_openat_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_openat_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
audit auditctl 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_openat_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_openat_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
Record Unsuccessful Creation Attempts to Files - openat O_CREATxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_openat_o_creat medium
Record Unsuccessful Creation Attempts to Files - openat O_CREAT
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_openat_o_creat |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_unsuccessful_file_modification_openat_o_creat:def:1 |
| Time | 2021-11-16T20:08:36+00:00 |
| Severity | medium |
| Identifiers and References | References:
1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.4, Req-10.2.1, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172, SRG-OS-000458-VMM-001810, SRG-OS-000461-VMM-001830 |
| Description | The audit system should collect unauthorized file accesses for
all users and root. The openat syscall can be used to create new files
when O_CREAT flag is specified.
The following auidt rules will asure that unsuccessful attempts to create a
file via openat syscall are collected.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add the
rules below to a file with suffix .rules in the directory
/etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the rules below to
/etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S openat -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b32 -S openat -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S openat -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b64 -S openat -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
|
| Rationale | Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create |
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
defined audit rule must exist
oval:ssg-test_arufm_openat_o_creat_32bit_a20100_eacces_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_openat_o_creat_32bit_a20100_eacces_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
defined audit rule must exist
oval:ssg-test_arufm_openat_o_creat_32bit_a20100_eperm_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_openat_o_creat_32bit_a20100_eperm_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
defined audit rule must exist
oval:ssg-test_arufm_openat_o_creat_64bit_a20100_eacces_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_openat_o_creat_64bit_a20100_eacces_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
defined audit rule must exist
oval:ssg-test_arufm_openat_o_creat_64bit_a20100_eperm_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_openat_o_creat_64bit_a20100_eperm_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
defined audit rule must exist
oval:ssg-test_arufm_openat_o_creat_32bit_a20100_eacces_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_openat_o_creat_32bit_a20100_eacces_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
defined audit rule must exist
oval:ssg-test_arufm_openat_o_creat_32bit_a20100_eperm_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_openat_o_creat_32bit_a20100_eperm_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
defined audit rule must exist
oval:ssg-test_arufm_openat_o_creat_64bit_a20100_eacces_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_openat_o_creat_64bit_a20100_eacces_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
defined audit rule must exist
oval:ssg-test_arufm_openat_o_creat_64bit_a20100_eperm_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_openat_o_creat_64bit_a20100_eperm_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
Record Unsuccessful Modification Attempts to Files - openat O_TRUNC_WRITExccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_openat_o_trunc_write medium
Record Unsuccessful Modification Attempts to Files - openat O_TRUNC_WRITE
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_openat_o_trunc_write |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_unsuccessful_file_modification_openat_o_trunc_write:def:1 |
| Time | 2021-11-16T20:08:36+00:00 |
| Severity | medium |
| Identifiers and References | References:
1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.4, Req-10.2.1, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172, SRG-OS-000458-VMM-001810, SRG-OS-000461-VMM-001830 |
| Description | The audit system should collect detailed unauthorized file accesses for
all users and root. The openat syscall can be used to modify files
if called for write operation of with O_TRUNC_WRITE flag.
The following auidt rules will asure that unsuccessful attempts to modify a
file via openat syscall are collected.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add the
rules below to a file with suffix .rules in the directory
/etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the rules below to
/etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S openat -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b32 -S openat -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S openat -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b64 -S openat -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
|
| Rationale | Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification |
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
defined audit rule must exist
oval:ssg-test_arufm_openat_o_trunc_32bit_a201003_eacces_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_openat_o_trunc_32bit_a201003_eacces_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
defined audit rule must exist
oval:ssg-test_arufm_openat_o_trunc_32bit_a201003_eperm_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_openat_o_trunc_32bit_a201003_eperm_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
defined audit rule must exist
oval:ssg-test_arufm_openat_o_trunc_64bit_a201003_eacces_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_openat_o_trunc_64bit_a201003_eacces_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
defined audit rule must exist
oval:ssg-test_arufm_openat_o_trunc_64bit_a201003_eperm_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_openat_o_trunc_64bit_a201003_eperm_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
defined audit rule must exist
oval:ssg-test_arufm_openat_o_trunc_32bit_a201003_eacces_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_openat_o_trunc_32bit_a201003_eacces_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
defined audit rule must exist
oval:ssg-test_arufm_openat_o_trunc_32bit_a201003_eperm_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_openat_o_trunc_32bit_a201003_eperm_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
defined audit rule must exist
oval:ssg-test_arufm_openat_o_trunc_64bit_a201003_eacces_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_openat_o_trunc_64bit_a201003_eacces_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
defined audit rule must exist
oval:ssg-test_arufm_openat_o_trunc_64bit_a201003_eperm_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_openat_o_trunc_64bit_a201003_eperm_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
Ensure auditd Rules For Unauthorized Attempts To openat Are Ordered Correctlyxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_openat_rule_order medium
Ensure auditd Rules For Unauthorized Attempts To openat Are Ordered Correctly
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_openat_rule_order |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_unsuccessful_file_modification_openat_rule_order:def:1 |
| Time | 2021-11-16T20:08:36+00:00 |
| Severity | medium |
| Identifiers and References | References:
1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.4, Req-10.2.1, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172, SRG-OS-000458-VMM-001810, SRG-OS-000461-VMM-001830 |
| Description | The audit system should collect detailed unauthorized file
accesses for all users and root.
To correctly identify unsuccessful creation, unsuccessful modification and unsuccessful access
of files via openat syscall the audit rules collecting these events need to be in certain order.
The more specific rules need to come before the less specific rules. The reason for that is that more
specific rules cover a subset of events covered in the less specific rules, thus, they need to come
before to not be overshadowed by less specific rules, which match a bigger set of events.
Make sure that rules for unsuccessful calls of openat syscall are in the order shown below.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), check the order of
rules below in a file with suffix .rules in the directory
/etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, check the order of rules below in
/etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S openat -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b32 -S openat -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b32 -S openat -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b32 -S openat -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S openat -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b64 -S openat -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b64 -S openat -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b64 -S openat -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
|
| Rationale | The more specific rules cover a subset of events covered by the less specific rules.
By ordering them from more specific to less specific, it is assured that the less specific
rule will not catch events better recorded by the more specific rule. |
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
defined audit rule must exist
oval:ssg-test_arufm_openat_order_32bit_eacces_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_openat_order_32bit_eacces_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | Referenced variable has no values (oval:ssg-var_arufm_rule_order_32bit_openat_eacces_augenrules_reg | ^/etc/audit/rules\.d/.*\.rules$ | 1 |
defined audit rule must exist
oval:ssg-test_arufm_openat_order_32bit_eperm_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_openat_order_32bit_eperm_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | Referenced variable has no values (oval:ssg-var_arufm_rule_order_32bit_openat_eperm_augenrules_rege | ^/etc/audit/rules\.d/.*\.rules$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
defined audit rule must exist
oval:ssg-test_arufm_openat_order_64bit_eacces_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_openat_order_64bit_eacces_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | Referenced variable has no values (oval:ssg-var_arufm_rule_order_64bit_openat_eacces_augenrules_reg | ^/etc/audit/rules\.d/.*\.rules$ | 1 |
defined audit rule must exist
oval:ssg-test_arufm_openat_order_64bit_eperm_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_openat_order_64bit_eperm_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | Referenced variable has no values (oval:ssg-var_arufm_rule_order_64bit_openat_eperm_augenrules_rege | ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
defined audit rule must exist
oval:ssg-test_arufm_openat_order_32bit_eacces_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_openat_order_32bit_eacces_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | Referenced variable has no values (oval:ssg-var_arufm_rule_order_32bit_openat_auditctl_eacces_regex | ^/etc/audit/rules\.d/.*\.rules$ | 1 |
Test order of audit 32bit auditctl eperm rules order
oval:ssg-test_arufm_openat_order_32bit_eperm_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_openat_order_32bit_eperm_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | Referenced variable has no values (oval:ssg-var_arufm_rule_order_32bit_openat_auditctl_eperm_regex: | ^/etc/audit/rules\.d/.*\.rules$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
defined audit rule must exist
oval:ssg-test_arufm_openat_order_64bit_eacces_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_openat_order_64bit_eacces_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | Referenced variable has no values (oval:ssg-var_arufm_openat_order_64bit_auditctl_eacces_regex:var: | ^/etc/audit/rules\.d/.*\.rules$ | 1 |
defined audit rule must exist
oval:ssg-test_arufm_openat_order_64bit_eperm_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arufm_openat_order_64bit_eperm_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | Referenced variable has no values (oval:ssg-var_arufm_rule_order_64bit_openat_auditctl_eperm_regex: | ^/etc/audit/rules\.d/.*\.rules$ | 1 |
Record Unsuccessul Permission Changes to Files - removexattrxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_removexattr medium
Record Unsuccessul Permission Changes to Files - removexattr
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_removexattr |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_unsuccessful_file_modification_removexattr:def:1 |
| Time | 2021-11-16T20:08:36+00:00 |
| Severity | medium |
| Identifiers and References | References:
CCI-000172, AU-2(d), AU-12(c), CM-6(a), SRG-OS-000458-VMM-001810, SRG-OS-000461-VMM-001830 |
| Description | The audit system should collect unsuccessful file permission change
attempts for all users and root.
If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S removexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-a always,exit -F arch=b32 -S removexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S removexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-a always,exit -F arch=b64 -S removexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change |
| Rationale | Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the audit rule checks a
system call independently of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_removexattr_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_removexattr_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit augenrules 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_removexattr_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_removexattr_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
audit augenrules 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_removexattr_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_removexattr_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit augenrules 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_removexattr_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_removexattr_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_removexattr_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_removexattr_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
audit auditctl 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_removexattr_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_removexattr_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
audit auditctl 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_removexattr_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_removexattr_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
audit auditctl 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_removexattr_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_removexattr_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
Record Unsuccessul Delete Attempts to Files - renamexccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_rename medium
Record Unsuccessul Delete Attempts to Files - rename
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_rename |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_unsuccessful_file_modification_rename:def:1 |
| Time | 2021-11-16T20:08:36+00:00 |
| Severity | medium |
| Identifiers and References | References:
1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.4, Req-10.2.1, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000468-GPOS-00212, SRG-OS-000458-VMM-001810, SRG-OS-000461-VMM-001830 |
| Description | The audit system should collect unsuccessful file deletion
attempts for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S rename -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
-a always,exit -F arch=b32 -S rename -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S rename -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
-a always,exit -F arch=b64 -S rename -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete |
| Rationale | Unsuccessful attempts to delete files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-delete |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_rename_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_rename_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit augenrules 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_rename_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_rename_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
audit augenrules 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_rename_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_rename_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit augenrules 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_rename_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_rename_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_rename_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_rename_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
audit auditctl 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_rename_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_rename_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
audit auditctl 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_rename_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_rename_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
audit auditctl 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_rename_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_rename_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
Record Unsuccessul Delete Attempts to Files - renameatxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_renameat medium
Record Unsuccessul Delete Attempts to Files - renameat
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_renameat |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_unsuccessful_file_modification_renameat:def:1 |
| Time | 2021-11-16T20:08:36+00:00 |
| Severity | medium |
| Identifiers and References | References:
1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.4, Req-10.2.1, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000468-GPOS-00212, SRG-OS-000458-VMM-001810, SRG-OS-000461-VMM-001830 |
| Description | The audit system should collect unsuccessful file deletion
attempts for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
-a always,exit -F arch=b32 -S renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
-a always,exit -F arch=b64 -S renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete |
| Rationale | Unsuccessful attempts to delete files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-delete |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_renameat_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_renameat_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit augenrules 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_renameat_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_renameat_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
audit augenrules 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_renameat_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_renameat_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit augenrules 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_renameat_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_renameat_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_renameat_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_renameat_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
audit auditctl 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_renameat_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_renameat_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
audit auditctl 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_renameat_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_renameat_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
audit auditctl 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_renameat_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_renameat_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
Record Unsuccessul Permission Changes to Files - setxattrxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_setxattr medium
Record Unsuccessul Permission Changes to Files - setxattr
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_setxattr |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_unsuccessful_file_modification_setxattr:def:1 |
| Time | 2021-11-16T20:08:36+00:00 |
| Severity | medium |
| Identifiers and References | References:
CCI-000172, AU-2(d), AU-12(c), CM-6(a), SRG-OS-000458-VMM-001810, SRG-OS-000461-VMM-001830 |
| Description | The audit system should collect unsuccessful file permission change
attempts for all users and root.
If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S setxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-a always,exit -F arch=b32 -S setxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S setxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-a always,exit -F arch=b64 -S setxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change |
| Rationale | Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the audit rule checks a
system call independently of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_setxattr_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_setxattr_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit augenrules 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_setxattr_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_setxattr_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
audit augenrules 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_setxattr_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_setxattr_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit augenrules 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_setxattr_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_setxattr_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_setxattr_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_setxattr_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
audit auditctl 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_setxattr_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_setxattr_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
audit auditctl 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_setxattr_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_setxattr_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
audit auditctl 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_setxattr_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_setxattr_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
Record Unsuccessful Access Attempts to Files - truncatexccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_truncate medium
Record Unsuccessful Access Attempts to Files - truncate
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_truncate |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_unsuccessful_file_modification_truncate:def:1 |
| Time | 2021-11-16T20:08:36+00:00 |
| Severity | medium |
| Identifiers and References | References:
1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.4, Req-10.2.1, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000458-VMM-001810, SRG-OS-000461-VMM-001830 |
| Description | At a minimum, the audit system should collect unauthorized file
accesses for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access |
| Rationale | Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_truncate_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_truncate_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit augenrules 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_truncate_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_truncate_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
audit augenrules 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_truncate_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_truncate_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit augenrules 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_truncate_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_truncate_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_truncate_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_truncate_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
audit auditctl 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_truncate_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_truncate_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
audit auditctl 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_truncate_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_truncate_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
audit auditctl 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_truncate_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_truncate_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
Record Unsuccessul Delete Attempts to Files - unlinkxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_unlink medium
Record Unsuccessul Delete Attempts to Files - unlink
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_unlink |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_unsuccessful_file_modification_unlink:def:1 |
| Time | 2021-11-16T20:08:36+00:00 |
| Severity | medium |
| Identifiers and References | References:
1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.4, Req-10.2.1, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000468-GPOS-00212, SRG-OS-000458-VMM-001810, SRG-OS-000461-VMM-001830 |
| Description | The audit system should collect unsuccessful file deletion
attempts for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S unlink -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
-a always,exit -F arch=b32 -S unlink -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S unlink -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
-a always,exit -F arch=b64 -S unlink -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete |
| Rationale | Unsuccessful attempts to delete files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-delete |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_unlink_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_unlink_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit augenrules 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_unlink_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_unlink_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
audit augenrules 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_unlink_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_unlink_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit augenrules 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_unlink_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_unlink_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_unlink_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_unlink_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
audit auditctl 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_unlink_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_unlink_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
audit auditctl 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_unlink_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_unlink_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
audit auditctl 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_unlink_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_unlink_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
Record Unsuccessul Delete Attempts to Files - unlinkatxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_unlinkat medium
Record Unsuccessul Delete Attempts to Files - unlinkat
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_unlinkat |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_unsuccessful_file_modification_unlinkat:def:1 |
| Time | 2021-11-16T20:08:36+00:00 |
| Severity | medium |
| Identifiers and References | References:
1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.4, Req-10.2.1, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000468-GPOS-00212, SRG-OS-000458-VMM-001810, SRG-OS-000461-VMM-001830 |
| Description | The audit system should collect unsuccessful file deletion
attempts for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file.
-a always,exit -F arch=b32 -S unlinkat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
-a always,exit -F arch=b32 -S unlinkat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S unlinkat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
-a always,exit -F arch=b64 -S unlinkat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete |
| Rationale | Unsuccessful attempts to delete files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-delete |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_unlinkat_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_unlinkat_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit augenrules 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_unlinkat_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_unlinkat_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
audit augenrules 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_unlinkat_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_unlinkat_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit augenrules 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_unlinkat_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_unlinkat_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit file eacces
oval:ssg-test_32bit_arufm_eacces_unlinkat_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eacces_unlinkat_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
audit auditctl 32-bit file eperm
oval:ssg-test_32bit_arufm_eperm_unlinkat_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_arufm_eperm_unlinkat_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
audit auditctl 64-bit file eacces
oval:ssg-test_64bit_arufm_eacces_unlinkat_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eacces_unlinkat_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
audit auditctl 64-bit file eperm
oval:ssg-test_64bit_arufm_eperm_unlinkat_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_arufm_eperm_unlinkat_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* | | ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ |
| /etc/audit/audit.rules | 1 |
Ensure auditd Collects Information on Kernel Module Unloading - delete_modulexccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_delete medium
Ensure auditd Collects Information on Kernel Module Unloading - delete_module
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_delete |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_kernel_module_loading_delete:def:1 |
| Time | 2021-11-16T20:08:36+00:00 |
| Severity | medium |
| Identifiers and References | References:
1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.7, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222, SRG-OS-000477-VMM-001970 |
| Description | To capture kernel module unloading events, use following line, setting ARCH to
either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
-a always,exit -F arch=ARCH -S delete_module -F key=modules
Place to add the line depends on a way auditd daemon is configured. If it is configured
to use the augenrules program (the default), add the line to a file with suffix
.rules in the directory /etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl utility,
add the line to file /etc/audit/audit.rules. |
| Rationale | The removal of kernel modules can be used to alter the behavior of
the kernel and potentially introduce malicious code into kernel space. It is important
to have an audit trail of modules that have been introduced into the kernel. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit delete_module
oval:ssg-test_32bit_ardm_delete_module_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_delete_module_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+delete_module[\s]+|([\s]+|[,])delete_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
audit augenrules 64-bit delete_module
oval:ssg-test_64bit_ardm_delete_module_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_delete_module_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+delete_module[\s]+|([\s]+|[,])delete_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit delete_module
oval:ssg-test_32bit_ardm_delete_module_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_delete_module_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+delete_module[\s]+|([\s]+|[,])delete_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
audit auditctl 64-bit delete_module
oval:ssg-test_64bit_ardm_delete_module_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_delete_module_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+delete_module[\s]+|([\s]+|[,])delete_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Ensure auditd Collects Information on Kernel Module Loading - init_modulexccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_init medium
Ensure auditd Collects Information on Kernel Module Loading - init_module
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_init |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_kernel_module_loading_init:def:1 |
| Time | 2021-11-16T20:08:36+00:00 |
| Severity | medium |
| Identifiers and References | References:
1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.7, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222, SRG-OS-000477-VMM-001970 |
| Description | To capture kernel module loading events, use following line, setting ARCH to
either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
-a always,exit -F arch=ARCH -S init_module -F key=modules
Place to add the line depends on a way auditd daemon is configured. If it is configured
to use the augenrules program (the default), add the line to a file with suffix
.rules in the directory /etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl utility,
add the line to file /etc/audit/audit.rules. |
| Rationale | The addition of kernel modules can be used to alter the behavior of
the kernel and potentially introduce malicious code into kernel space. It is important
to have an audit trail of modules that have been introduced into the kernel. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit init_module
oval:ssg-test_32bit_ardm_init_module_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_init_module_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+init_module[\s]+|([\s]+|[,])init_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
audit augenrules 64-bit init_module
oval:ssg-test_64bit_ardm_init_module_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_init_module_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+init_module[\s]+|([\s]+|[,])init_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit init_module
oval:ssg-test_32bit_ardm_init_module_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_32bit_ardm_init_module_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+init_module[\s]+|([\s]+|[,])init_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
audit auditctl 64-bit init_module
oval:ssg-test_64bit_ardm_init_module_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_64bit_ardm_init_module_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+init_module[\s]+|([\s]+|[,])init_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Record Attempts to Alter Logon and Logout Events - faillockxccdf_org.ssgproject.content_rule_audit_rules_login_events_faillock medium
Record Attempts to Alter Logon and Logout Events - faillock
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_login_events_faillock |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_login_events_faillock:def:1 |
| Time | 2021-11-16T20:08:36+00:00 |
| Severity | medium |
| Identifiers and References | References:
1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.3, SRG-OS-000392-GPOS-00172, SRG-OS-000470-GPOS-00214, SRG-OS-000473-GPOS-00218, SRG-OS-000473-VMM-001930, SRG-OS-000470-VMM-001900 |
| Description | The audit system already collects login information for all users
and root. If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following lines to a file with suffix .rules in the
directory /etc/audit/rules.d in order to watch for attempted manual
edits of files involved in storing logon events:
-w /var/run/faillock -p wa -k logins
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file in order to watch for unattempted manual
edits of files involved in storing logon events:
-w /var/run/faillock -p wa -k logins |
| Rationale | Manual editing of these files may indicate nefarious activity, such
as an attacker attempting to remove evidence of an intrusion. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules faillock
oval:ssg-test_arle_faillock_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arle_faillock_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^\-w\s+\/var\/run\/faillock\s+\-p\s+wa\s+(-k[\s]+|-F[\s]+key=)[-\w]+\s*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl faillock
oval:ssg-test_arle_faillock_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arle_faillock_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^\-w\s+\/var\/run\/faillock\s+\-p\s+wa\s+(-k[\s]+|-F[\s]+key=)[-\w]+\s*$ | 1 |
Record Attempts to Alter Logon and Logout Events - lastlogxccdf_org.ssgproject.content_rule_audit_rules_login_events_lastlog medium
Record Attempts to Alter Logon and Logout Events - lastlog
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_login_events_lastlog |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_login_events_lastlog:def:1 |
| Time | 2021-11-16T20:08:36+00:00 |
| Severity | medium |
| Identifiers and References | References:
1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.3, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000473-GPOS-00218, SRG-OS-000470-GPOS-00214, SRG-OS-000473-VMM-001930, SRG-OS-000470-VMM-001900 |
| Description | The audit system already collects login information for all users
and root. If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following lines to a file with suffix .rules in the
directory /etc/audit/rules.d in order to watch for attempted manual
edits of files involved in storing logon events:
-w /var/log/lastlog -p wa -k logins
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file in order to watch for unattempted manual
edits of files involved in storing logon events:
-w /var/log/lastlog -p wa -k logins |
| Rationale | Manual editing of these files may indicate nefarious activity, such
as an attacker attempting to remove evidence of an intrusion. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules lastlog
oval:ssg-test_arle_lastlog_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arle_lastlog_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^\-w\s+\/var\/log\/lastlog\s+\-p\s+wa\s+(-k[\s]+|-F[\s]+key=)[-\w]+\s*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl lastlog
oval:ssg-test_arle_lastlog_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arle_lastlog_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^\-w\s+\/var\/log\/lastlog\s+\-p\s+wa\s+(-k[\s]+|-F[\s]+key=)[-\w]+\s*$ | 1 |
Record Attempts to Alter Logon and Logout Events - tallylogxccdf_org.ssgproject.content_rule_audit_rules_login_events_tallylog medium
Record Attempts to Alter Logon and Logout Events - tallylog
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_login_events_tallylog |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_login_events_tallylog:def:1 |
| Time | 2021-11-16T20:08:36+00:00 |
| Severity | medium |
| Identifiers and References | References:
1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000172, CCI-002884, CCI-000126, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.3, SRG-OS-000392-GPOS-00172, SRG-OS-000470-GPOS-00214, SRG-OS-000473-GPOS-00218, SRG-OS-000473-VMM-001930, SRG-OS-000470-VMM-001900 |
| Description | The audit system already collects login information for all users
and root. If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following lines to a file with suffix .rules in the
directory /etc/audit/rules.d in order to watch for attempted manual
edits of files involved in storing logon events:
-w /var/log/tallylog -p wa -k logins
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file in order to watch for unattempted manual
edits of files involved in storing logon events:
-w /var/log/tallylog -p wa -k logins |
| Rationale | Manual editing of these files may indicate nefarious activity, such
as an attacker attempting to remove evidence of an intrusion. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules tallylog
oval:ssg-test_arle_tallylog_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arle_tallylog_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^\-w\s+\/var\/log\/tallylog\s+\-p\s+wa\s+(-k[\s]+|-F[\s]+key=)[-\w]+\s*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl tallylog
oval:ssg-test_arle_tallylog_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arle_tallylog_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^\-w\s+\/var\/log\/tallylog\s+\-p\s+wa\s+(-k[\s]+|-F[\s]+key=)[-\w]+\s*$ | 1 |
Ensure auditd Collects Information on the Use of Privileged Commands - atxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_at medium
Ensure auditd Collects Information on the Use of Privileged Commands - at
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_at |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_privileged_commands_at:def:1 |
| Time | 2021-11-16T20:08:36+00:00 |
| Severity | medium |
| Identifiers and References | References:
CCI-000172, AU-2(d), AU-12(c), AC-6(9), CM-6(a), FAU_GEN.1.1.c, SRG-OS-000471-VMM-001910 |
| Description | At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/at -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/at -F auid>=1000 -F auid!=unset -F key=privileged |
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules at
oval:ssg-test_audit_rules_privileged_commands_at_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_at_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/at[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl at
oval:ssg-test_audit_rules_privileged_commands_at_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_at_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/at[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Ensure auditd Collects Information on the Use of Privileged Commands - chagexccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chage medium
Ensure auditd Collects Information on the Use of Privileged Commands - chage
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chage |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_privileged_commands_chage:def:1 |
| Time | 2021-11-16T20:08:36+00:00 |
| Severity | medium |
| Identifiers and References | References:
1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, CIP-004-3 R2.2.2, CIP-004-3 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215, SRG-OS-000471-VMM-001910 |
| Description | At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/chage -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/chage -F auid>=1000 -F auid!=unset -F key=privileged |
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules chage
oval:ssg-test_audit_rules_privileged_commands_chage_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_chage_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/chage[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl chage
oval:ssg-test_audit_rules_privileged_commands_chage_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_chage_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/chage[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Ensure auditd Collects Information on the Use of Privileged Commands - chshxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chsh medium
Ensure auditd Collects Information on the Use of Privileged Commands - chsh
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chsh |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_privileged_commands_chsh:def:1 |
| Time | 2021-11-16T20:08:36+00:00 |
| Severity | medium |
| Identifiers and References | References:
1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, CIP-004-3 R2.2.2, CIP-004-3 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000471-VMM-001910 |
| Description | At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/chsh -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/chsh -F auid>=1000 -F auid!=unset -F key=privileged |
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules chsh
oval:ssg-test_audit_rules_privileged_commands_chsh_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_chsh_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/chsh[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl chsh
oval:ssg-test_audit_rules_privileged_commands_chsh_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_chsh_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/chsh[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Ensure auditd Collects Information on the Use of Privileged Commands - crontabxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_crontab medium
Ensure auditd Collects Information on the Use of Privileged Commands - crontab
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_crontab |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_privileged_commands_crontab:def:1 |
| Time | 2021-11-16T20:08:36+00:00 |
| Severity | medium |
| Identifiers and References | References:
1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000471-VMM-001910 |
| Description | At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/crontab -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/crontab -F auid>=1000 -F auid!=unset -F key=privileged |
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules crontab
oval:ssg-test_audit_rules_privileged_commands_crontab_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_crontab_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/crontab[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl crontab
oval:ssg-test_audit_rules_privileged_commands_crontab_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_crontab_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/crontab[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Ensure auditd Collects Information on the Use of Privileged Commands - gpasswdxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_gpasswd medium
Ensure auditd Collects Information on the Use of Privileged Commands - gpasswd
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_gpasswd |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_privileged_commands_gpasswd:def:1 |
| Time | 2021-11-16T20:08:36+00:00 |
| Severity | medium |
| Identifiers and References | References:
1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, CIP-004-3 R2.2.2, CIP-004-3 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, FAU_GEN.1.1.c, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000471-VMM-001910 |
| Description | At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/gpasswd -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/gpasswd -F auid>=1000 -F auid!=unset -F key=privileged |
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules gpasswd
oval:ssg-test_audit_rules_privileged_commands_gpasswd_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_gpasswd_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/gpasswd[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl gpasswd
oval:ssg-test_audit_rules_privileged_commands_gpasswd_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_gpasswd_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/gpasswd[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Ensure auditd Collects Information on the Use of Privileged Commands - mountxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_mount medium
Ensure auditd Collects Information on the Use of Privileged Commands - mount
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_mount |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_privileged_commands_mount:def:1 |
| Time | 2021-11-16T20:08:36+00:00 |
| Severity | medium |
| Identifiers and References | References:
CCI-000135, CCI-000172, CCI-002884, AU-2(d), AU-12(c), AC-6(9), CM-6(a), FAU_GEN.1.1.c, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-VMM-001910 |
| Description | At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/mount -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/mount -F auid>=1000 -F auid!=unset -F key=privileged |
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules mount
oval:ssg-test_audit_rules_privileged_commands_mount_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_mount_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/mount[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl mount
oval:ssg-test_audit_rules_privileged_commands_mount_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_mount_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/mount[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Ensure auditd Collects Information on the Use of Privileged Commands - newgidmapxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_newgidmap medium
Ensure auditd Collects Information on the Use of Privileged Commands - newgidmap
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_newgidmap |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_privileged_commands_newgidmap:def:1 |
| Time | 2021-11-16T20:08:36+00:00 |
| Severity | medium |
| Identifiers and References | References:
CCI-000172, CIP-004-3 R2.2.2, CIP-004-3 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a), FAU_GEN.1.1.c, SRG-OS-000471-VMM-001910 |
| Description | At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/newgidmap -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/newgidmap -F auid>=1000 -F auid!=unset -F key=privileged |
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules newgidmap
oval:ssg-test_audit_rules_privileged_commands_newgidmap_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_newgidmap_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/newgidmap[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl newgidmap
oval:ssg-test_audit_rules_privileged_commands_newgidmap_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_newgidmap_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/newgidmap[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Ensure auditd Collects Information on the Use of Privileged Commands - newgrpxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_newgrp medium
Ensure auditd Collects Information on the Use of Privileged Commands - newgrp
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_newgrp |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_privileged_commands_newgrp:def:1 |
| Time | 2021-11-16T20:08:36+00:00 |
| Severity | medium |
| Identifiers and References | References:
1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000169, CCI-000135, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, CIP-004-3 R2.2.2, CIP-004-3 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, FAU_GEN.1.1.c, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000471-VMM-001910 |
| Description | At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/newgrp -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/newgrp -F auid>=1000 -F auid!=unset -F key=privileged |
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules newgrp
oval:ssg-test_audit_rules_privileged_commands_newgrp_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_newgrp_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/newgrp[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl newgrp
oval:ssg-test_audit_rules_privileged_commands_newgrp_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_newgrp_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/newgrp[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Ensure auditd Collects Information on the Use of Privileged Commands - newuidmapxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_newuidmap medium
Ensure auditd Collects Information on the Use of Privileged Commands - newuidmap
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_newuidmap |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_privileged_commands_newuidmap:def:1 |
| Time | 2021-11-16T20:08:36+00:00 |
| Severity | medium |
| Identifiers and References | References:
CCI-000172, CIP-004-3 R2.2.2, CIP-004-3 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a), FAU_GEN.1.1.c, SRG-OS-000471-VMM-001910 |
| Description | At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/newuidmap -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/newuidmap -F auid>=1000 -F auid!=unset -F key=privileged |
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules newuidmap
oval:ssg-test_audit_rules_privileged_commands_newuidmap_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_newuidmap_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/newuidmap[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl newuidmap
oval:ssg-test_audit_rules_privileged_commands_newuidmap_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_newuidmap_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/newuidmap[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Ensure auditd Collects Information on the Use of Privileged Commands - passwdxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_passwd medium
Ensure auditd Collects Information on the Use of Privileged Commands - passwd
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_passwd |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_privileged_commands_passwd:def:1 |
| Time | 2021-11-16T20:08:36+00:00 |
| Severity | medium |
| Identifiers and References | References:
1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, CIP-004-3 R2.2.2, CIP-004-3 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, FAU_GEN.1.1.c, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000471-VMM-001910 |
| Description | At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/passwd -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/passwd -F auid>=1000 -F auid!=unset -F key=privileged |
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules passwd
oval:ssg-test_audit_rules_privileged_commands_passwd_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_passwd_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/passwd[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl passwd
oval:ssg-test_audit_rules_privileged_commands_passwd_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_passwd_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/passwd[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Ensure auditd Collects Information on the Use of Privileged Commands - pt_chownxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_pt_chown medium
Ensure auditd Collects Information on the Use of Privileged Commands - pt_chown
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_pt_chown |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_privileged_commands_pt_chown:def:1 |
| Time | 2021-11-16T20:08:36+00:00 |
| Severity | medium |
| Identifiers and References | References:
1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000135, CCI-000172, CCI-002884, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215, SRG-OS-000471-VMM-001910 |
| Description | At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/libexec/pt_chown -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/libexec/pt_chown -F auid>=1000 -F auid!=unset -F key=privileged |
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules pt_chown
oval:ssg-test_audit_rules_privileged_commands_pt_chown_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_pt_chown_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/libexec\/pt_chown[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl pt_chown
oval:ssg-test_audit_rules_privileged_commands_pt_chown_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_pt_chown_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/libexec\/pt_chown[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysignxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_ssh_keysign medium
Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysign
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_ssh_keysign |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_privileged_commands_ssh_keysign:def:1 |
| Time | 2021-11-16T20:08:36+00:00 |
| Severity | medium |
| Identifiers and References | References:
1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, FAU_GEN.1.1.c, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000471-VMM-001910 |
| Description | At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F auid>=1000 -F auid!=unset -F key=privileged |
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules ssh_keysign
oval:ssg-test_audit_rules_privileged_commands_ssh_keysign_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_ssh_keysign_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/libexec\/openssh\/ssh-keysign[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl ssh_keysign
oval:ssg-test_audit_rules_privileged_commands_ssh_keysign_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_ssh_keysign_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/libexec\/openssh\/ssh-keysign[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Ensure auditd Collects Information on the Use of Privileged Commands - suxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_su medium
Ensure auditd Collects Information on the Use of Privileged Commands - su
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_su |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_privileged_commands_su:def:1 |
| Time | 2021-11-16T20:08:36+00:00 |
| Severity | medium |
| Identifiers and References | References:
1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, FAU_GEN.1.1.c, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000064-GPOS-0003, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210, SRG-OS-000471-VMM-001910 |
| Description | At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/su -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/su -F auid>=1000 -F auid!=unset -F key=privileged |
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules su
oval:ssg-test_audit_rules_privileged_commands_su_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_su_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/su[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl su
oval:ssg-test_audit_rules_privileged_commands_su_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_su_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/su[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Ensure auditd Collects Information on the Use of Privileged Commands - sudoxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudo medium
Ensure auditd Collects Information on the Use of Privileged Commands - sudo
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudo |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_privileged_commands_sudo:def:1 |
| Time | 2021-11-16T20:08:36+00:00 |
| Severity | medium |
| Identifiers and References | References:
BP28(R19), 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, FAU_GEN.1.1.c, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210, SRG-OS-000471-VMM-001910 |
| Description | At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/sudo -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/sudo -F auid>=1000 -F auid!=unset -F key=privileged |
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules sudo
oval:ssg-test_audit_rules_privileged_commands_sudo_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_sudo_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/sudo[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl sudo
oval:ssg-test_audit_rules_privileged_commands_sudo_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_sudo_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/sudo[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Ensure auditd Collects Information on the Use of Privileged Commands - sudoeditxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudoedit medium
Ensure auditd Collects Information on the Use of Privileged Commands - sudoedit
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudoedit |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_privileged_commands_sudoedit:def:1 |
| Time | 2021-11-16T20:08:36+00:00 |
| Severity | medium |
| Identifiers and References | References:
1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, FAU_GEN.1.1.c, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000471-VMM-001910 |
| Description | At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/sudoedit -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/sudoedit -F auid>=1000 -F auid!=unset -F key=privileged |
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules sudoedit
oval:ssg-test_audit_rules_privileged_commands_sudoedit_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_sudoedit_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/sudoedit[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl sudoedit
oval:ssg-test_audit_rules_privileged_commands_sudoedit_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_sudoedit_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/sudoedit[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Ensure auditd Collects Information on the Use of Privileged Commands - umountxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_umount medium
Ensure auditd Collects Information on the Use of Privileged Commands - umount
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_umount |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_privileged_commands_umount:def:1 |
| Time | 2021-11-16T20:08:36+00:00 |
| Severity | medium |
| Identifiers and References | References:
1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000135, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215, SRG-OS-000471-VMM-001910 |
| Description | At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/umount -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/umount -F auid>=1000 -F auid!=unset -F key=privileged |
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules umount
oval:ssg-test_audit_rules_privileged_commands_umount_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_umount_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/umount[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl umount
oval:ssg-test_audit_rules_privileged_commands_umount_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_umount_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/umount[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Ensure auditd Collects Information on the Use of Privileged Commands - unix_chkpwdxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_unix_chkpwd medium
Ensure auditd Collects Information on the Use of Privileged Commands - unix_chkpwd
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_unix_chkpwd |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_privileged_commands_unix_chkpwd:def:1 |
| Time | 2021-11-16T20:08:36+00:00 |
| Severity | medium |
| Identifiers and References | References:
1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, CIP-004-3 R2.2.2, CIP-004-3 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, CIP-007-3 R6.5, AC-2(4), AU-2(d), AU-3, AU-3.1, AU-12(a), AU-12(c), AU-12.1(ii), AU-12.1(iv), AC-6(9), CM-6(a), MA-4(1)(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, FAU_GEN.1.1.c, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000471-VMM-001910 |
| Description | At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/unix_chkpwd -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/sbin/unix_chkpwd -F auid>=1000 -F auid!=unset -F key=privileged |
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules unix_chkpwd
oval:ssg-test_audit_rules_privileged_commands_unix_chkpwd_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_unix_chkpwd_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/unix_chkpwd[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl unix_chkpwd
oval:ssg-test_audit_rules_privileged_commands_unix_chkpwd_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_unix_chkpwd_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/unix_chkpwd[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Ensure auditd Collects Information on the Use of Privileged Commands - userhelperxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_userhelper medium
Ensure auditd Collects Information on the Use of Privileged Commands - userhelper
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_userhelper |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_privileged_commands_userhelper:def:1 |
| Time | 2021-11-16T20:08:36+00:00 |
| Severity | medium |
| Identifiers and References | References:
1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, FAU_GEN.1.1.c, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000471-VMM-001910 |
| Description | At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/userhelper -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/sbin/userhelper -F auid>=1000 -F auid!=unset -F key=privileged |
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules userhelper
oval:ssg-test_audit_rules_privileged_commands_userhelper_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_userhelper_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/userhelper[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl userhelper
oval:ssg-test_audit_rules_privileged_commands_userhelper_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_userhelper_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/userhelper[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Ensure auditd Collects Information on the Use of Privileged Commands - usernetctlxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_usernetctl medium
Ensure auditd Collects Information on the Use of Privileged Commands - usernetctl
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_usernetctl |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_privileged_commands_usernetctl:def:1 |
| Time | 2021-11-16T20:08:36+00:00 |
| Severity | medium |
| Identifiers and References | References:
CCI-000172, CIP-004-3 R2.2.2, CIP-004-3 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a), FAU_GEN.1.1.c, SRG-OS-000471-VMM-001910 |
| Description | At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/usernetctl -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/sbin/usernetctl -F auid>=1000 -F auid!=unset -F key=privileged |
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules usernetctl
oval:ssg-test_audit_rules_privileged_commands_usernetctl_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_usernetctl_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/usernetctl[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl usernetctl
oval:ssg-test_audit_rules_privileged_commands_usernetctl_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_privileged_commands_usernetctl_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/usernetctl[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | 1 |
Record Events that Modify User/Group Information via open syscall - /etc/groupxccdf_org.ssgproject.content_rule_audit_rules_etc_group_open medium
Record Events that Modify User/Group Information via open syscall - /etc/group
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_etc_group_open |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_etc_group_open:def:1 |
| Time | 2021-11-16T20:08:35+00:00 |
| Severity | medium |
| Identifiers and References | References:
CIP-004-3 R2.2.2, CIP-004-3 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a), FAU_GEN.1.1.c |
| Description | The audit system should collect write events to /etc/group file for all users and root.
If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modify
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modify
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modify |
| Rationale | Creation of groups through direct edition of /etc/group could be an indicator of malicious activity on a system.
Auditing these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modify |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
defined audit rule must exist
oval:ssg-test_audit_rules_tc_group_open_32bit_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_tc_group_open_32bit_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F[\s]+a1&03)[\s]+(?:-F[\s]+path=/etc/group)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | ^/etc/audit/rules\.d/.*\.rules$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
defined audit rule must exist
oval:ssg-test_audit_rules_tc_group_open_64bit_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_tc_group_open_64bit_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F[\s]+a1&03)[\s]+(?:-F[\s]+path=/etc/group)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
defined audit rule must exist
oval:ssg-test_audit_rules_tc_group_open_32bit_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_tc_group_open_32bit_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F[\s]+a1&03)[\s]+(?:-F[\s]+path=/etc/group)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | /etc/audit/audit.rules | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
defined audit rule must exist
oval:ssg-test_audit_rules_tc_group_open_64bit_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_tc_group_open_64bit_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F[\s]+a1&03)[\s]+(?:-F[\s]+path=/etc/group)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | /etc/audit/audit.rules | 1 |
Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/groupxccdf_org.ssgproject.content_rule_audit_rules_etc_group_open_by_handle_at medium
Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/group
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_etc_group_open_by_handle_at |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_etc_group_open_by_handle_at:def:1 |
| Time | 2021-11-16T20:08:35+00:00 |
| Severity | medium |
| Identifiers and References | References:
CIP-004-3 R2.2.2, CIP-004-3 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a), FAU_GEN.1.1.c |
| Description | The audit system should collect write events to /etc/group file for all group and root.
If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modify
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modify
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S open_by_handle_at -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modify |
| Rationale | Creation of groups through direct edition of /etc/group could be an indicator of malicious activity on a system.
Auditing these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modify |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
defined audit rule must exist
oval:ssg-test_audit_rules_tc_group_open_by_handle_at_32bit_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_tc_group_open_by_handle_at_32bit_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/group)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | ^/etc/audit/rules\.d/.*\.rules$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
defined audit rule must exist
oval:ssg-test_audit_rules_tc_group_open_by_handle_at_64bit_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_tc_group_open_by_handle_at_64bit_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/group)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
defined audit rule must exist
oval:ssg-test_audit_rules_tc_group_open_by_handle_at_32bit_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_tc_group_open_by_handle_at_32bit_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/group)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | /etc/audit/audit.rules | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
defined audit rule must exist
oval:ssg-test_audit_rules_tc_group_open_by_handle_at_64bit_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_tc_group_open_by_handle_at_64bit_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/group)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | /etc/audit/audit.rules | 1 |
Record Events that Modify User/Group Information via openat syscall - /etc/groupxccdf_org.ssgproject.content_rule_audit_rules_etc_group_openat medium
Record Events that Modify User/Group Information via openat syscall - /etc/group
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_etc_group_openat |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_etc_group_openat:def:1 |
| Time | 2021-11-16T20:08:35+00:00 |
| Severity | medium |
| Identifiers and References | References:
CIP-004-3 R2.2.2, CIP-004-3 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a), FAU_GEN.1.1.c |
| Description | The audit system should collect write events to /etc/group file for all users and root.
If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modify
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modify
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modify |
| Rationale | Creation of groups through direct edition of /etc/group could be an indicator of malicious activity on a system.
Auditing these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modify |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
defined audit rule must exist
oval:ssg-test_audit_rules_tc_group_openat_32bit_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_tc_group_openat_32bit_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/group)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | ^/etc/audit/rules\.d/.*\.rules$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
defined audit rule must exist
oval:ssg-test_audit_rules_tc_group_openat_64bit_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_tc_group_openat_64bit_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/group)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
defined audit rule must exist
oval:ssg-test_audit_rules_tc_group_openat_32bit_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_tc_group_openat_32bit_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/group)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | /etc/audit/audit.rules | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
defined audit rule must exist
oval:ssg-test_audit_rules_tc_group_openat_64bit_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_tc_group_openat_64bit_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/group)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | /etc/audit/audit.rules | 1 |
Record Events that Modify User/Group Information via open syscall - /etc/gshadowxccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_open medium
Record Events that Modify User/Group Information via open syscall - /etc/gshadow
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_open |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_etc_gshadow_open:def:1 |
| Time | 2021-11-16T20:08:35+00:00 |
| Severity | medium |
| Identifiers and References | References:
CIP-004-3 R2.2.2, CIP-004-3 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a), FAU_GEN.1.1.c |
| Description | The audit system should collect write events to /etc/gshadow file for all users and root.
If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify |
| Rationale | Creation of users through direct edition of /etc/gshadow could be an indicator of malicious activity on a system.
Auditing these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
defined audit rule must exist
oval:ssg-test_audit_rules_tc_gshadow_open_32bit_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_tc_gshadow_open_32bit_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F[\s]+a1&03)[\s]+(?:-F[\s]+path=/etc/gshadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | ^/etc/audit/rules\.d/.*\.rules$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
defined audit rule must exist
oval:ssg-test_audit_rules_tc_gshadow_open_64bit_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_tc_gshadow_open_64bit_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F[\s]+a1&03)[\s]+(?:-F[\s]+path=/etc/gshadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
defined audit rule must exist
oval:ssg-test_audit_rules_tc_gshadow_open_32bit_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_tc_gshadow_open_32bit_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F[\s]+a1&03)[\s]+(?:-F[\s]+path=/etc/gshadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | /etc/audit/audit.rules | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
defined audit rule must exist
oval:ssg-test_audit_rules_tc_gshadow_open_64bit_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_tc_gshadow_open_64bit_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F[\s]+a1&03)[\s]+(?:-F[\s]+path=/etc/gshadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | /etc/audit/audit.rules | 1 |
Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/gshadowxccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_open_by_handle_at medium
Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/gshadow
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_open_by_handle_at |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_etc_gshadow_open_by_handle_at:def:1 |
| Time | 2021-11-16T20:08:35+00:00 |
| Severity | medium |
| Identifiers and References | References:
CIP-004-3 R2.2.2, CIP-004-3 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a), FAU_GEN.1.1.c |
| Description | The audit system should collect write events to /etc/gshadow file for all users and root.
If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S open_by_handle_at -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify |
| Rationale | Creation of users through direct edition of /etc/gshadow could be an indicator of malicious activity on a system.
Auditing these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
defined audit rule must exist
oval:ssg-test_audit_rules_tc_gshadow_open_by_handle_at_32bit_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_tc_gshadow_open_by_handle_at_32bit_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/gshadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | ^/etc/audit/rules\.d/.*\.rules$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
defined audit rule must exist
oval:ssg-test_audit_rules_tc_gshadow_open_by_handle_at_64bit_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_tc_gshadow_open_by_handle_at_64bit_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/gshadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
defined audit rule must exist
oval:ssg-test_audit_rules_tc_gshadow_open_by_handle_at_32bit_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_tc_gshadow_open_by_handle_at_32bit_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/gshadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | /etc/audit/audit.rules | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
defined audit rule must exist
oval:ssg-test_audit_rules_tc_gshadow_open_by_handle_at_64bit_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_tc_gshadow_open_by_handle_at_64bit_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/gshadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | /etc/audit/audit.rules | 1 |
Record Events that Modify User/Group Information via openat syscall - /etc/gshadowxccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_openat medium
Record Events that Modify User/Group Information via openat syscall - /etc/gshadow
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_openat |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_etc_gshadow_openat:def:1 |
| Time | 2021-11-16T20:08:35+00:00 |
| Severity | medium |
| Identifiers and References | References:
CIP-004-3 R2.2.2, CIP-004-3 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a), FAU_GEN.1.1.c |
| Description | The audit system should collect write events to /etc/gshadow file for all users and root.
If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify |
| Rationale | Creation of users through direct edition of /etc/gshadow could be an indicator of malicious activity on a system.
Auditing these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
defined audit rule must exist
oval:ssg-test_audit_rules_tc_gshadow_openat_32bit_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_tc_gshadow_openat_32bit_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/gshadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | ^/etc/audit/rules\.d/.*\.rules$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
defined audit rule must exist
oval:ssg-test_audit_rules_tc_gshadow_openat_64bit_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_tc_gshadow_openat_64bit_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/gshadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
defined audit rule must exist
oval:ssg-test_audit_rules_tc_gshadow_openat_32bit_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_tc_gshadow_openat_32bit_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/gshadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | /etc/audit/audit.rules | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
defined audit rule must exist
oval:ssg-test_audit_rules_tc_gshadow_openat_64bit_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_tc_gshadow_openat_64bit_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/gshadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | /etc/audit/audit.rules | 1 |
Record Events that Modify User/Group Information via open syscall - /etc/passwdxccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_open medium
Record Events that Modify User/Group Information via open syscall - /etc/passwd
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_open |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_etc_passwd_open:def:1 |
| Time | 2021-11-16T20:08:35+00:00 |
| Severity | medium |
| Identifiers and References | References:
CIP-004-3 R2.2.2, CIP-004-3 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a), FAU_GEN.1.1.c |
| Description | The audit system should collect write events to /etc/passwd file for all users and root.
If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify |
| Rationale | Creation of users through direct edition of /etc/passwd could be an indicator of malicious activity on a system.
Auditing these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
defined audit rule must exist
oval:ssg-test_audit_rules_tc_passwd_open_32bit_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_tc_passwd_open_32bit_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F[\s]+a1&03)[\s]+(?:-F[\s]+path=/etc/passwd)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | ^/etc/audit/rules\.d/.*\.rules$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
defined audit rule must exist
oval:ssg-test_audit_rules_tc_passwd_open_64bit_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_tc_passwd_open_64bit_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F[\s]+a1&03)[\s]+(?:-F[\s]+path=/etc/passwd)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
defined audit rule must exist
oval:ssg-test_audit_rules_tc_passwd_open_32bit_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_tc_passwd_open_32bit_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F[\s]+a1&03)[\s]+(?:-F[\s]+path=/etc/passwd)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | /etc/audit/audit.rules | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
defined audit rule must exist
oval:ssg-test_audit_rules_tc_passwd_open_64bit_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_tc_passwd_open_64bit_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F[\s]+a1&03)[\s]+(?:-F[\s]+path=/etc/passwd)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | /etc/audit/audit.rules | 1 |
Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/passwdxccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_open_by_handle_at medium
Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/passwd
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_open_by_handle_at |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_etc_passwd_open_by_handle_at:def:1 |
| Time | 2021-11-16T20:08:35+00:00 |
| Severity | medium |
| Identifiers and References | References:
CIP-004-3 R2.2.2, CIP-004-3 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a), FAU_GEN.1.1.c |
| Description | The audit system should collect write events to /etc/passwd file for all users and root.
If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify |
| Rationale | Creation of users through direct edition of /etc/passwd could be an indicator of malicious activity on a system.
Auditing these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
defined audit rule must exist
oval:ssg-test_audit_rules_tc_passwd_open_by_handle_at_32bit_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_tc_passwd_open_by_handle_at_32bit_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/passwd)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | ^/etc/audit/rules\.d/.*\.rules$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
defined audit rule must exist
oval:ssg-test_audit_rules_tc_passwd_open_by_handle_at_64bit_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_tc_passwd_open_by_handle_at_64bit_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/passwd)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
defined audit rule must exist
oval:ssg-test_audit_rules_tc_passwd_open_by_handle_at_32bit_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_tc_passwd_open_by_handle_at_32bit_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/passwd)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | /etc/audit/audit.rules | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
defined audit rule must exist
oval:ssg-test_audit_rules_tc_passwd_open_by_handle_at_64bit_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_tc_passwd_open_by_handle_at_64bit_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/passwd)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | /etc/audit/audit.rules | 1 |
Record Events that Modify User/Group Information via openat syscall - /etc/passwdxccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_openat medium
Record Events that Modify User/Group Information via openat syscall - /etc/passwd
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_openat |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_etc_passwd_openat:def:1 |
| Time | 2021-11-16T20:08:35+00:00 |
| Severity | medium |
| Identifiers and References | References:
CIP-004-3 R2.2.2, CIP-004-3 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a), FAU_GEN.1.1.c |
| Description | The audit system should collect write events to /etc/passwd file for all users and root.
If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify |
| Rationale | Creation of users through direct edition of /etc/passwd could be an indicator of malicious activity on a system.
Auditing these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
defined audit rule must exist
oval:ssg-test_audit_rules_tc_passwd_openat_32bit_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_tc_passwd_openat_32bit_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/passwd)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | ^/etc/audit/rules\.d/.*\.rules$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
defined audit rule must exist
oval:ssg-test_audit_rules_tc_passwd_openat_64bit_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_tc_passwd_openat_64bit_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/passwd)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
defined audit rule must exist
oval:ssg-test_audit_rules_tc_passwd_openat_32bit_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_tc_passwd_openat_32bit_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/passwd)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | /etc/audit/audit.rules | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
defined audit rule must exist
oval:ssg-test_audit_rules_tc_passwd_openat_64bit_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_tc_passwd_openat_64bit_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/passwd)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | /etc/audit/audit.rules | 1 |
Record Events that Modify User/Group Information via open syscall - /etc/shadowxccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_open medium
Record Events that Modify User/Group Information via open syscall - /etc/shadow
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_open |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_etc_shadow_open:def:1 |
| Time | 2021-11-16T20:08:35+00:00 |
| Severity | medium |
| Identifiers and References | References:
CIP-004-3 R2.2.2, CIP-004-3 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a), FAU_GEN.1.1.c |
| Description | The audit system should collect write events to /etc/shadow file for all users and root.
If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify |
| Rationale | Creation of users through direct edition of /etc/shadow could be an indicator of malicious activity on a system.
Auditing these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
defined audit rule must exist
oval:ssg-test_audit_rules_tc_shadow_open_32bit_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_tc_shadow_open_32bit_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F[\s]+a1&03)[\s]+(?:-F[\s]+path=/etc/shadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | ^/etc/audit/rules\.d/.*\.rules$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
defined audit rule must exist
oval:ssg-test_audit_rules_tc_shadow_open_64bit_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_tc_shadow_open_64bit_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F[\s]+a1&03)[\s]+(?:-F[\s]+path=/etc/shadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
defined audit rule must exist
oval:ssg-test_audit_rules_tc_shadow_open_32bit_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_tc_shadow_open_32bit_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F[\s]+a1&03)[\s]+(?:-F[\s]+path=/etc/shadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | /etc/audit/audit.rules | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
defined audit rule must exist
oval:ssg-test_audit_rules_tc_shadow_open_64bit_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_tc_shadow_open_64bit_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F[\s]+a1&03)[\s]+(?:-F[\s]+path=/etc/shadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | /etc/audit/audit.rules | 1 |
Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/shadowxccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_open_by_handle_at medium
Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/shadow
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_open_by_handle_at |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_etc_shadow_open_by_handle_at:def:1 |
| Time | 2021-11-16T20:08:35+00:00 |
| Severity | medium |
| Identifiers and References | References:
CIP-004-3 R2.2.2, CIP-004-3 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a), FAU_GEN.1.1.c |
| Description | The audit system should collect write events to /etc/shadow file for all users and root.
If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify |
| Rationale | Creation of users through direct edition of /etc/shadow could be an indicator of malicious activity on a system.
Auditing these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
defined audit rule must exist
oval:ssg-test_audit_rules_tc_shadow_open_by_handle_at_32bit_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_tc_shadow_open_by_handle_at_32bit_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/shadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | ^/etc/audit/rules\.d/.*\.rules$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
defined audit rule must exist
oval:ssg-test_audit_rules_tc_shadow_open_by_handle_at_64bit_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_tc_shadow_open_by_handle_at_64bit_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/shadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
defined audit rule must exist
oval:ssg-test_audit_rules_tc_shadow_open_by_handle_at_32bit_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_tc_shadow_open_by_handle_at_32bit_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/shadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | /etc/audit/audit.rules | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
defined audit rule must exist
oval:ssg-test_audit_rules_tc_shadow_open_by_handle_at_64bit_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_tc_shadow_open_by_handle_at_64bit_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/shadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | /etc/audit/audit.rules | 1 |
Record Events that Modify User/Group Information via openat syscall - /etc/shadowxccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_openat medium
Record Events that Modify User/Group Information via openat syscall - /etc/shadow
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_openat |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_etc_shadow_openat:def:1 |
| Time | 2021-11-16T20:08:35+00:00 |
| Severity | medium |
| Identifiers and References | References:
CIP-004-3 R2.2.2, CIP-004-3 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a), FAU_GEN.1.1.c |
| Description | The audit system should collect write events to /etc/shadow file for all users and root.
If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify |
| Rationale | Creation of users through direct edition of /etc/shadow could be an indicator of malicious activity on a system.
Auditing these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping system calls related
to the same event is more efficient. See the following example:
-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
defined audit rule must exist
oval:ssg-test_audit_rules_tc_shadow_openat_32bit_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_tc_shadow_openat_32bit_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/shadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | ^/etc/audit/rules\.d/.*\.rules$ | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
defined audit rule must exist
oval:ssg-test_audit_rules_tc_shadow_openat_64bit_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_tc_shadow_openat_64bit_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/shadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
defined audit rule must exist
oval:ssg-test_audit_rules_tc_shadow_openat_32bit_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_tc_shadow_openat_32bit_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/shadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | /etc/audit/audit.rules | 1 |
64 bit architecture
oval:ssg-test_system_info_architecture_x86_64:tst:1
true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppc_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_ppcle_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_aarch_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
64 bit architecture
oval:ssg-test_system_info_architecture_s390_64:tst:1
false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|
| x86_64 | fedora | Linux | 5.14.10-300.fc35.x86_64 | #1 SMP Thu Oct 7 20:48:44 UTC 2021 | x86_64 |
defined audit rule must exist
oval:ssg-test_audit_rules_tc_shadow_openat_64bit_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_tc_shadow_openat_64bit_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/shadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | /etc/audit/audit.rules | 1 |
Make the auditd Configuration Immutablexccdf_org.ssgproject.content_rule_audit_rules_immutable medium
Make the auditd Configuration Immutable
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_immutable |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_immutable:def:1 |
| Time | 2021-11-16T20:08:35+00:00 |
| Severity | medium |
| Identifiers and References | References:
1, 11, 12, 13, 14, 15, 16, 18, 19, 3, 4, 5, 6, 7, 8, 5.4.1.1, APO01.06, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, BAI03.05, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, DSS06.02, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.3.1, 3.4.3, CCI-000162, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.310(a)(2)(iv), 164.312(d), 164.310(d)(2)(iii), 164.312(b), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 6.1, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, ID.SC-4, PR.AC-4, PR.DS-5, PR.PT-1, RS.AN-1, RS.AN-4, Req-10.5.2, SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029 |
| Description | If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d in order to make the auditd configuration
immutable:
-e 2
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file in order to make the auditd configuration
immutable:
-e 2
With this setting, a reboot will be required to change any audit rules. |
| Rationale | Making the audit configuration immutable prevents accidental as
well as malicious modification of the audit rules, although it may be
problematic if legitimate changes are needed during system
operation |
|
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules configuration locked
oval:ssg-test_ari_locked_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_ari_locked_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^\-e\s+2\s*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl configuration locked
oval:ssg-test_ari_locked_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_ari_locked_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^\-e\s+2\s*$ | 1 |
Record Events that Modify the System's Mandatory Access Controlsxccdf_org.ssgproject.content_rule_audit_rules_mac_modification medium
Record Events that Modify the System's Mandatory Access Controls
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_mac_modification |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_mac_modification:def:1 |
| Time | 2021-11-16T20:08:35+00:00 |
| Severity | medium |
| Identifiers and References | References:
1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.8, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5 |
| Description | If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d:
-w /etc/selinux/ -p wa -k MAC-policy
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-w /etc/selinux/ -p wa -k MAC-policy |
| Rationale | The system's mandatory access policy (SELinux) should not be
arbitrarily changed by anything other than administrator action. All changes to
MAC policy should be audited. |
|
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit selinux changes augenrules
oval:ssg-test_armm_selinux_watch_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_armm_selinux_watch_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^\-w[\s]+/etc/selinux/[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit selinux changes auditctl
oval:ssg-test_armm_selinux_watch_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_armm_selinux_watch_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^\-w[\s]+/etc/selinux/[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ | 1 |
Record Attempts to Alter Process and Session Initiation Informationxccdf_org.ssgproject.content_rule_audit_rules_session_events medium
Record Attempts to Alter Process and Session Initiation Information
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_session_events |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_session_events:def:1 |
| Time | 2021-11-16T20:08:35+00:00 |
| Severity | medium |
| Identifiers and References | References:
1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, 0582, 0584, 05885, 0586, 0846, 0957, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.3 |
| Description | The audit system already collects process information for all
users and root. If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following lines to a file with suffix .rules in the
directory /etc/audit/rules.d in order to watch for attempted manual
edits of files involved in storing such process information:
-w /var/run/utmp -p wa -k session
-w /var/log/btmp -p wa -k session
-w /var/log/wtmp -p wa -k session
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file in order to watch for attempted manual
edits of files involved in storing such process information:
-w /var/run/utmp -p wa -k session
-w /var/log/btmp -p wa -k session
-w /var/log/wtmp -p wa -k session |
| Rationale | Manual editing of these files may indicate nefarious activity, such
as an attacker attempting to remove evidence of an intrusion. |
|
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules utmp
oval:ssg-test_arse_utmp_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arse_utmp_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^\-w\s+/var/run/utmp\s+\-p\s+wa\s+(-k[\s]+|-F[\s]+key=)[-\w]+\s*$ | 1 |
audit augenrules btmp
oval:ssg-test_arse_btmp_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arse_btmp_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^\-w\s+/var/log/btmp\s+\-p\s+wa\s+(-k[\s]+|-F[\s]+key=)[-\w]+\s*$ | 1 |
audit augenrules wtmp
oval:ssg-test_arse_wtmp_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arse_wtmp_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^\-w\s+/var/log/wtmp\s+\-p\s+wa\s+(-k[\s]+|-F[\s]+key=)[-\w]+\s*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl utmp
oval:ssg-test_arse_utmp_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arse_utmp_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^\-w\s+/var/run/utmp\s+\-p\s+wa\s+(-k[\s]+|-F[\s]+key=)[-\w]+\s*$ | 1 |
audit auditctl btmp
oval:ssg-test_arse_btmp_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arse_btmp_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^\-w\s+/var/log/btmp\s+\-p\s+wa\s+(-k[\s]+|-F[\s]+key=)[-\w]+\s*$ | 1 |
audit auditctl wtmp
oval:ssg-test_arse_wtmp_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_arse_wtmp_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^\-w\s+/var/log/wtmp\s+\-p\s+wa\s+(-k[\s]+|-F[\s]+key=)[-\w]+\s*$ | 1 |
Ensure auditd Collects System Administrator Actionsxccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions medium
Ensure auditd Collects System Administrator Actions
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_sysadmin_actions:def:1 |
| Time | 2021-11-16T20:08:35+00:00 |
| Severity | medium |
| Identifiers and References | References:
1, 11, 12, 13, 14, 15, 16, 18, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS06.03, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.2.2, 4.3.3.3.9, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.8, 4.3.3.6.6, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.1, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.6.2.1, A.6.2.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, AC-2(7)(b), AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-6, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.2, Req-10.2.5.b, SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000304-GPOS-00121, CCI-002884, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221, SRG-OS-000462-VMM-001840, SRG-OS-000471-VMM-001910 |
| Description | At a minimum, the audit system should collect administrator actions
for all users and root. If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the default),
add the following line to a file with suffix .rules in the directory
/etc/audit/rules.d:
-w /etc/sudoers -p wa -k actions
-w /etc/sudoers.d/ -p wa -k actions
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-w /etc/sudoers -p wa -k actions
-w /etc/sudoers.d/ -p wa -k actions |
| Rationale | The actions taken by system administrators should be audited to keep a record
of what was executed on the system, as well as, for accountability purposes. |
|
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules sudoers
oval:ssg-test_audit_rules_sysadmin_actions_sudoers_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_sysadmin_actions_sudoers_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^\-w[\s]+/etc/sudoers[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ | 1 |
audit augenrules sudoers
oval:ssg-test_audit_rules_sysadmin_actions_sudoers_d_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_sysadmin_actions_sudoers_d_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^\-w[\s]+/etc/sudoers\.d/[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl sudoers
oval:ssg-test_audit_rules_sysadmin_actions_sudoers_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_sysadmin_actions_sudoers_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^\-w[\s]+/etc/sudoers[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ | 1 |
audit auditctl sudoers
oval:ssg-test_audit_rules_sysadmin_actions_sudoers_d_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_sysadmin_actions_sudoers_d_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^\-w[\s]+/etc/sudoers\.d/[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ | 1 |
Record Events that Modify User/Group Information - /etc/groupxccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_group medium
Record Events that Modify User/Group Information - /etc/group
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_group |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_usergroup_modification_group:def:1 |
| Time | 2021-11-16T20:08:35+00:00 |
| Severity | medium |
| Identifiers and References | References:
1, 11, 12, 13, 14, 15, 16, 18, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS06.03, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000018, CCI-000169, CCI-000172, CCI-001403, CCI-001404, CCI-001405, CCI-001683, CCI-001684, CCI-001685, CCI-001686, CCI-002130, CCI-002132, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.2.2, 4.3.3.3.9, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.8, 4.3.3.6.6, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.1, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.6.2.1, A.6.2.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CIP-004-3 R2.2.2, CIP-004-3 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-6, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.5, SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000304-GPOS-00121, CCI-002884, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221, SRG-OS-000004-VMM-000040, SRG-OS-000239-VMM-000810, SRG-OS-000240-VMM-000820, SRG-OS-000241-VMM-000830, SRG-OS-000274-VMM-000960, SRG-OS-000275-VMM-000970, SRG-OS-000276-VMM-000980, SRG-OS-000277-VMM-000990, SRG-OS-000303-VMM-001090, SRG-OS-000304-VMM-001100, SRG-OS-000476-VMM-001960 |
| Description | If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following lines to a file with suffix .rules in the
directory /etc/audit/rules.d, in order to capture events that modify
account changes:
-w /etc/group -p wa -k audit_rules_usergroup_modification
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file, in order to capture events that modify
account changes:
-w /etc/group -p wa -k audit_rules_usergroup_modification |
| Rationale | In addition to auditing new user and group accounts, these watches
will alert the system administrator(s) to any modifications. Any unexpected
users, groups, or modifications should be investigated for legitimacy. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules group
oval:ssg-test_audit_rules_usergroup_modification_group_augen:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_usergroup_modification_group_augen:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^\-w[\s]+\/etc\/group[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit group
oval:ssg-test_audit_rules_usergroup_modification_group_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_usergroup_modification_group_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^\-w[\s]+\/etc\/group[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$ | 1 |
Record Events that Modify User/Group Information - /etc/gshadowxccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_gshadow medium
Record Events that Modify User/Group Information - /etc/gshadow
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_gshadow |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_usergroup_modification_gshadow:def:1 |
| Time | 2021-11-16T20:08:35+00:00 |
| Severity | medium |
| Identifiers and References | References:
1, 11, 12, 13, 14, 15, 16, 18, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS06.03, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000018, CCI-000169, CCI-000172, CCI-001403, CCI-001404, CCI-001405, CCI-001683, CCI-001684, CCI-001685, CCI-001686, CCI-002130, CCI-002132, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.2.2, 4.3.3.3.9, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.8, 4.3.3.6.6, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.1, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.6.2.1, A.6.2.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CIP-004-3 R2.2.2, CIP-004-3 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-6, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.5, SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000304-GPOS-00121, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221, SRG-OS-000004-VMM-000040, SRG-OS-000239-VMM-000810, SRG-OS-000240-VMM-000820, SRG-OS-000241-VMM-000830, SRG-OS-000274-VMM-000960, SRG-OS-000275-VMM-000970, SRG-OS-000276-VMM-000980, SRG-OS-000277-VMM-000990, SRG-OS-000303-VMM-001090, SRG-OS-000304-VMM-001100, SRG-OS-000476-VMM-001960 |
| Description | If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following lines to a file with suffix .rules in the
directory /etc/audit/rules.d, in order to capture events that modify
account changes:
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file, in order to capture events that modify
account changes:
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification |
| Rationale | In addition to auditing new user and group accounts, these watches
will alert the system administrator(s) to any modifications. Any unexpected
users, groups, or modifications should be investigated for legitimacy. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules gshadow
oval:ssg-test_audit_rules_usergroup_modification_gshadow_augen:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_usergroup_modification_gshadow_augen:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^\-w[\s]+\/etc\/gshadow[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit gshadow
oval:ssg-test_audit_rules_usergroup_modification_gshadow_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_usergroup_modification_gshadow_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^\-w[\s]+\/etc\/gshadow[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$ | 1 |
Record Events that Modify User/Group Information - /etc/security/opasswdxccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_opasswd medium
Record Events that Modify User/Group Information - /etc/security/opasswd
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_opasswd |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_usergroup_modification_opasswd:def:1 |
| Time | 2021-11-16T20:08:35+00:00 |
| Severity | medium |
| Identifiers and References | References:
1, 11, 12, 13, 14, 15, 16, 18, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS06.03, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000018, CCI-000169, CCI-000172, CCI-001403, CCI-001404, CCI-001405, CCI-001683, CCI-001684, CCI-001685, CCI-001686, CCI-002130, CCI-002132, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.2.2, 4.3.3.3.9, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.8, 4.3.3.6.6, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.1, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.6.2.1, A.6.2.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CIP-004-3 R2.2.2, CIP-004-3 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-6, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.5, SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000304-GPOS-00121, SRG-OS-000476-GPOS-00221, SRG-OS-000463-GPOS-00207, SRG-OS-000004-VMM-000040, SRG-OS-000239-VMM-000810, SRG-OS-000240-VMM-000820, SRG-OS-000241-VMM-000830, SRG-OS-000274-VMM-000960, SRG-OS-000275-VMM-000970, SRG-OS-000276-VMM-000980, SRG-OS-000277-VMM-000990, SRG-OS-000303-VMM-001090, SRG-OS-000304-VMM-001100, SRG-OS-000476-VMM-001960 |
| Description | If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following lines to a file with suffix .rules in the
directory /etc/audit/rules.d, in order to capture events that modify
account changes:
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file, in order to capture events that modify
account changes:
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification |
| Rationale | In addition to auditing new user and group accounts, these watches
will alert the system administrator(s) to any modifications. Any unexpected
users, groups, or modifications should be investigated for legitimacy. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules opasswd
oval:ssg-test_audit_rules_usergroup_modification_opasswd_augen:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_usergroup_modification_opasswd_augen:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^\-w[\s]+\/etc\/security\/opasswd[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit opasswd
oval:ssg-test_audit_rules_usergroup_modification_opasswd_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_usergroup_modification_opasswd_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^\-w[\s]+\/etc\/security\/opasswd[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$ | 1 |
Record Events that Modify User/Group Information - /etc/passwdxccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_passwd medium
Record Events that Modify User/Group Information - /etc/passwd
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_passwd |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_usergroup_modification_passwd:def:1 |
| Time | 2021-11-16T20:08:35+00:00 |
| Severity | medium |
| Identifiers and References | References:
1, 11, 12, 13, 14, 15, 16, 18, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS06.03, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000018, CCI-000169, CCI-000172, CCI-001403, CCI-001404, CCI-001405, CCI-001683, CCI-001684, CCI-001685, CCI-001686, CCI-002130, CCI-002132, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.2.2, 4.3.3.3.9, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.8, 4.3.3.6.6, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.1, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.6.2.1, A.6.2.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CIP-004-3 R2.2.2, CIP-004-3 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-6, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.5, SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000304-GPOS-00121, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221, SRG-OS-000274-GPOS-00104, SRG-OS-000275-GPOS-00105, SRG-OS-000276-GPOS-00106, SRG-OS-000277-GPOS-00107, SRG-OS-000004-VMM-000040, SRG-OS-000239-VMM-000810, SRG-OS-000240-VMM-000820, SRG-OS-000241-VMM-000830, SRG-OS-000274-VMM-000960, SRG-OS-000275-VMM-000970, SRG-OS-000276-VMM-000980, SRG-OS-000277-VMM-000990, SRG-OS-000303-VMM-001090, SRG-OS-000304-VMM-001100, SRG-OS-000476-VMM-001960 |
| Description | If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following lines to a file with suffix .rules in the
directory /etc/audit/rules.d, in order to capture events that modify
account changes:
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file, in order to capture events that modify
account changes:
-w /etc/passwd -p wa -k audit_rules_usergroup_modification |
| Rationale | In addition to auditing new user and group accounts, these watches
will alert the system administrator(s) to any modifications. Any unexpected
users, groups, or modifications should be investigated for legitimacy. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules passwd
oval:ssg-test_audit_rules_usergroup_modification_passwd_augen:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_usergroup_modification_passwd_augen:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^\-w[\s]+\/etc\/passwd[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit passwd
oval:ssg-test_audit_rules_usergroup_modification_passwd_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_usergroup_modification_passwd_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^\-w[\s]+\/etc\/passwd[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$ | 1 |
Record Events that Modify User/Group Information - /etc/shadowxccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_shadow medium
Record Events that Modify User/Group Information - /etc/shadow
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_shadow |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_usergroup_modification_shadow:def:1 |
| Time | 2021-11-16T20:08:35+00:00 |
| Severity | medium |
| Identifiers and References | References:
1, 11, 12, 13, 14, 15, 16, 18, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS06.03, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000018, CCI-000169, CCI-000172, CCI-001403, CCI-001404, CCI-001405, CCI-001683, CCI-001684, CCI-001685, CCI-001686, CCI-002130, CCI-002132, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.2.2, 4.3.3.3.9, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.8, 4.3.3.6.6, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.1, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.6.2.1, A.6.2.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CIP-004-3 R2.2.2, CIP-004-3 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-6, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.5, SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000304-GPOS-00121, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221, SRG-OS-000004-VMM-000040, SRG-OS-000239-VMM-000810, SRG-OS-000240-VMM-000820, SRG-OS-000241-VMM-000830, SRG-OS-000274-VMM-000960, SRG-OS-000275-VMM-000970, SRG-OS-000276-VMM-000980, SRG-OS-000277-VMM-000990, SRG-OS-000303-VMM-001090, SRG-OS-000304-VMM-001100, SRG-OS-000476-VMM-001960 |
| Description | If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following lines to a file with suffix .rules in the
directory /etc/audit/rules.d, in order to capture events that modify
account changes:
-w /etc/shadow -p wa -k audit_rules_usergroup_modification
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file, in order to capture events that modify
account changes:
-w /etc/shadow -p wa -k audit_rules_usergroup_modification |
| Rationale | In addition to auditing new user and group accounts, these watches
will alert the system administrator(s) to any modifications. Any unexpected
users, groups, or modifications should be investigated for legitimacy. |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules shadow
oval:ssg-test_audit_rules_usergroup_modification_shadow_augen:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_usergroup_modification_shadow_augen:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/audit/rules\.d/.*\.rules$ | ^\-w[\s]+\/etc\/shadow[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit shadow
oval:ssg-test_audit_rules_usergroup_modification_shadow_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_usergroup_modification_shadow_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audit.rules | ^\-w[\s]+\/etc\/shadow[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$ | 1 |
Record Access Events to Audit Log Directoryxccdf_org.ssgproject.content_rule_directory_access_var_log_audit medium
Record Access Events to Audit Log Directory
| Rule ID | xccdf_org.ssgproject.content_rule_directory_access_var_log_audit |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-directory_access_var_log_audit:def:1 |
| Time | 2021-11-16T20:08:35+00:00 |
| Severity | medium |
| Identifiers and References | References:
AU-2(d), AU-12(c), AC-6(9), CM-6(a), FAU_GEN.1.1.c |
| Description | The audit system should collect access events to read audit log directory.
The following audit rule will assure that access to audit log directory are
collected.
-a always,exit -F dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset -F key=access-audit-trail
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add the
rule to a file with suffix .rules in the directory
/etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the rule to
/etc/audit/audit.rules file. |
| Rationale | Attempts to read the logs should be recorded, suspicious access to audit log files could be an indicator of malicious activity on a system.
Auditing these events could serve as evidence of potential system compromise.' |
|
|
OVAL test results detailsaudit augenrules
oval:ssg-test_audit_rules_augenrules:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
defined audit rule must exist
oval:ssg-test_directory_acccess_var_log_audit_augenrules:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_directory_acccess_var_log_audit_augenrules:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+dir=/var/log/audit/)[\s]+(?:-F[\s]+perm=r)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | ^/etc/audit/rules\.d/.*\.rules$ | 1 |
audit auditctl
oval:ssg-test_audit_rules_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
defined audit rule must exist
oval:ssg-test_directory_acccess_var_log_audit_auditctl:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_directory_acccess_var_log_audit_auditctl:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+dir=/var/log/audit/)[\s]+(?:-F[\s]+perm=r)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ | /etc/audit/audit.rules | 1 |
Configure audispd Plugin To Send Logs To Remote Serverxccdf_org.ssgproject.content_rule_auditd_audispd_configure_remote_server medium
Configure audispd Plugin To Send Logs To Remote Server
| Rule ID | xccdf_org.ssgproject.content_rule_auditd_audispd_configure_remote_server |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-auditd_audispd_configure_remote_server:def:1 |
| Time | 2021-11-16T20:08:36+00:00 |
| Severity | medium |
| Identifiers and References | References:
CCI-001851, FAU_GEN.1.1.c, SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224, SRG-OS-000051-VMM-000230, SRG-OS-000058-VMM-000270, SRG-OS-000059-VMM-000280, SRG-OS-000479-VMM-001990, SRG-OS-000479-VMM-001990 |
| Description | Configure the audispd plugin to off-load audit records onto a different
system or media from the system being audited.
Set the remote_server option in /etc/audit/audisp-remote.conf
with an IP address or hostname of the system that the audispd plugin should
send audit records to. For example
remote_server = logcollector |
| Rationale | Information stored in one location is vulnerable to accidental or incidental
deletion or alteration.Off-loading is a common process in information systems
with limited audit storage capacity. |
|
|
OVAL test results detailsremote server to send audit records
oval:ssg-test_auditd_audispd_configure_remote_server:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_auditd_audispd_configure_remote_server:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audisp-remote.conf | ^[ ]*remote_server[ ]+=[ ]+(\S+)[ ]*$ | 1 |
Encrypt Audit Records Sent With audispd Pluginxccdf_org.ssgproject.content_rule_auditd_audispd_encrypt_sent_records medium
Encrypt Audit Records Sent With audispd Plugin
| Rule ID | xccdf_org.ssgproject.content_rule_auditd_audispd_encrypt_sent_records |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-auditd_audispd_encrypt_sent_records:def:1 |
| Time | 2021-11-16T20:08:36+00:00 |
| Severity | medium |
| Identifiers and References | References:
CCI-001851, AU-9(3), CM-6(a), FAU_GEN.1.1.c, SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224 |
| Description | Configure the operating system to encrypt the transfer of off-loaded audit
records onto a different system or media from the system being audited.
Set the transport option in /etc/audit/audisp-remote.conf
to KRB5. |
| Rationale | Information stored in one location is vulnerable to accidental or incidental deletion
or alteration. Off-loading is a common process in information systems with limited
audit storage capacity. |
|
OVAL test results detailssetting in audisp-remote.conf
oval:ssg-test_auditd_audispd_encrypt_sent_records:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_auditd_audispd_encrypt_sent_records:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/audisp-remote.conf | ^[ ]*transport[ ]+=[ ]+KRB5[ ]*$ | 1 |
Configure auditd to use audispd's syslog pluginxccdf_org.ssgproject.content_rule_auditd_audispd_syslog_plugin_activated medium
Configure auditd to use audispd's syslog plugin
| Rule ID | xccdf_org.ssgproject.content_rule_auditd_audispd_syslog_plugin_activated |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-auditd_audispd_syslog_plugin_activated:def:1 |
| Time | 2021-11-16T20:08:36+00:00 |
| Severity | medium |
| Identifiers and References | References:
1, 11, 12, 13, 14, 15, 16, 19, 3, 4, 5, 6, 7, 8, 5.4.1.1, APO11.04, APO12.06, BAI03.05, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, MEA02.01, 3.3.1, CCI-000136, 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(B), 164.308(a)(5)(ii)(C), 164.308(a)(6)(ii), 164.308(a)(8), 164.310(d)(2)(iii), 164.312(b), 164.314(a)(2)(i)(C), 164.314(a)(2)(iii), 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.16.1.4, A.16.1.5, A.16.1.7, AU-4(1), CM-6(a), DE.AE-3, DE.AE-5, PR.PT-1, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.3, SRG-OS-000479-GPOS-00224, SRG-OS-000342-GPOS-00133, SRG-OS-000051-VMM-000230, SRG-OS-000058-VMM-000270, SRG-OS-000059-VMM-000280, SRG-OS-000479-VMM-001990, SRG-OS-000479-VMM-001990 |
| Description | To configure the auditd service to use the
syslog plug-in of the audispd audit event multiplexor, set
the active line in /etc/audit/plugins.d/syslog.conf to yes.
Restart the auditd service:
$ sudo service auditd restart |
| Rationale | The auditd service does not include the ability to send audit
records to a centralized server for management directly. It does, however,
include a plug-in for audit event multiplexor (audispd) to pass audit records
to the local syslog server |
|
|
OVAL test results detailsaudispd syslog plugin activated
oval:ssg-test_auditd_audispd_syslog_plugin_activated:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_auditd_audispd_syslog_plugin_activated:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/plugins.d/syslog.conf | ^[ ]*active[ ]+=[ ]+yes[ ]*$ | 1 |
Set number of records to cause an explicit flush to audit logsxccdf_org.ssgproject.content_rule_auditd_freq medium
Set number of records to cause an explicit flush to audit logs
| Rule ID | xccdf_org.ssgproject.content_rule_auditd_freq |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-auditd_freq:def:1 |
| Time | 2021-11-16T20:08:36+00:00 |
| Severity | medium |
| Identifiers and References | References:
FAU_GEN.1, SRG-OS-000051-GPOS-00024 |
| Description | To configure Audit daemon to issue an explicit flush to disk command
after writing 50 records, set freq to 50
in /etc/audit/auditd.conf. |
| Rationale | If option freq isn't set to 50, the flush to disk
may happen after higher number of records, increasing the danger
of audit loss. |
|
|
|
OVAL test results detailstests the value of freq setting in the /etc/audit/auditd.conf file
oval:ssg-test_auditd_freq:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_auditd_freq:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/auditd.conf | ^[ \t]*(?i)freq(?-i)[ \t]*=[ \t]*(.+?)[ \t]*(?:$|#) | 1 |
Include Local Events in Audit Logsxccdf_org.ssgproject.content_rule_auditd_local_events medium
Include Local Events in Audit Logs
| Rule ID | xccdf_org.ssgproject.content_rule_auditd_local_events |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-auditd_local_events:def:1 |
| Time | 2021-11-16T20:08:36+00:00 |
| Severity | medium |
| Identifiers and References | References:
CCI-000366, FAU_GEN.1.1.c, SRG-OS-000062-GPOS-00031, SRG-OS-000480-GPOS-00227 |
| Description | To configure Audit daemon to include local events in Audit logs, set
local_events to yes in /etc/audit/auditd.conf.
This is the default setting. |
| Rationale | If option local_events isn't set to yes only events from
network will be aggregated. |
OVAL test results detailstests the value of local_events setting in the /etc/audit/auditd.conf file
oval:ssg-test_auditd_local_events:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_auditd_local_events:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/auditd.conf | ^[ \t]*(?i)local_events(?-i)[ \t]*=[ \t]*(.+?)[ \t]*(?:$|#) | 1 |
tests the absence of local_events setting in the /etc/audit/auditd.conf file
oval:ssg-test_auditd_local_events_default_not_overriden:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_auditd_local_events_default_not_overriden:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/auditd.conf | ^[ \t]*(?i)local_events(?-i)[ \t]*=[ \t]* | 1 |
Resolve information before writing to audit logsxccdf_org.ssgproject.content_rule_auditd_log_format medium
Resolve information before writing to audit logs
| Rule ID | xccdf_org.ssgproject.content_rule_auditd_log_format |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-auditd_log_format:def:1 |
| Time | 2021-11-16T20:08:36+00:00 |
| Severity | medium |
| Identifiers and References | References:
CCI-000366, FAU_GEN.1, SRG-OS-000255-GPOS-00096, SRG-OS-000480-GPOS-00227 |
| Description | To configure Audit daemon to resolve all uid, gid, syscall,
architecture, and socket address information before writing the
events to disk, set log_format to ENRICHED
in /etc/audit/auditd.conf. |
| Rationale | If option log_format isn't set to ENRICHED, the
audit records will be stored in a format exactly as the kernel sends them. |
|
|
|
OVAL test results detailstests the value of log_format setting in the /etc/audit/auditd.conf file
oval:ssg-test_auditd_log_format:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_auditd_log_format:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/auditd.conf | ^[ \t]*(?i)log_format(?-i)[ \t]*=[ \t]*(.+?)[ \t]*(?:$|#) | 1 |
Set hostname as computer node name in audit logsxccdf_org.ssgproject.content_rule_auditd_name_format medium
Set hostname as computer node name in audit logs
| Rule ID | xccdf_org.ssgproject.content_rule_auditd_name_format |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-auditd_name_format:def:1 |
| Time | 2021-11-16T20:08:36+00:00 |
| Severity | medium |
| Identifiers and References | References:
CCI-001851, FAU_GEN.1, SRG-OS-000039-GPOS-00017, SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224 |
| Description | To configure Audit daemon to use value returned by gethostname
syscall as computer node name in the audit events,
set name_format to hostname
in /etc/audit/auditd.conf. |
| Rationale | If option name_format is left at its default value of
none, audit events from different computers may be hard
to distinguish. |
|
|
|
OVAL test results detailstests the value of name_format setting in the /etc/audit/auditd.conf file
oval:ssg-test_auditd_name_format:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_auditd_name_format:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/auditd.conf | ^[ \t]*(?i)name_format(?-i)[ \t]*=[ \t]*(.+?)[ \t]*(?:$|#) | 1 |
Write Audit Logs to the Diskxccdf_org.ssgproject.content_rule_auditd_write_logs medium
Write Audit Logs to the Disk
| Rule ID | xccdf_org.ssgproject.content_rule_auditd_write_logs |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-auditd_write_logs:def:1 |
| Time | 2021-11-16T20:08:36+00:00 |
| Severity | medium |
| Identifiers and References | References:
FAU_GEN.1.1.c, SRG-OS-000480-GPOS-00227 |
| Description | To configure Audit daemon to write Audit logs to the disk, set
write_logs to yes in /etc/audit/auditd.conf.
This is the default setting. |
| Rationale | If write_logs isn't set to yes, the Audit logs will
not be written to the disk. |
OVAL test results detailstests the value of write_logs setting in the /etc/audit/auditd.conf file
oval:ssg-test_auditd_write_logs:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_auditd_write_logs:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/auditd.conf | ^[ \t]*(?i)write_logs(?-i)[ \t]*=[ \t]*(.+?)[ \t]*(?:$|#) | 1 |
tests the absence of write_logs setting in the /etc/audit/auditd.conf file
oval:ssg-test_auditd_write_logs_default_not_overriden:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_auditd_write_logs_default_not_overriden:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/audit/auditd.conf | ^[ \t]*(?i)write_logs(?-i)[ \t]*=[ \t]* | 1 |
Enable Auditing for Processes Which Start Prior to the Audit Daemonxccdf_org.ssgproject.content_rule_grub2_audit_argument medium
Enable Auditing for Processes Which Start Prior to the Audit Daemon
| Rule ID | xccdf_org.ssgproject.content_rule_grub2_audit_argument |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-grub2_audit_argument:def:1 |
| Time | 2021-11-16T20:08:35+00:00 |
| Severity | medium |
| Identifiers and References | References:
1, 11, 12, 13, 14, 15, 16, 19, 3, 4, 5, 6, 7, 8, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.02, DSS05.03, DSS05.04, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.3.1, CCI-001464, CCI-000130, CCI-000169, 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(C), 164.310(a)(2)(iv), 164.310(d)(2)(iii), 164.312(b), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AC-17(1), AU-14(1), AU-10, CM-6(a), IR-5(1), DE.AE-3, DE.AE-5, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, Req-10.3, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000473-GPOS-00218, SRG-OS-000254-GPOS-00095, SRG-OS-000254-VMM-000880 |
| Description | To ensure all processes can be audited, even those which start
prior to the audit daemon, add the argument audit=1 to the default
GRUB 2 command line for the Linux operating system in
/boot/grub2/grubenv, in the manner below:
# grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) audit=1" |
| Rationale | Each process on the system carries an "auditable" flag which indicates whether
its activities can be audited. Although auditd takes care of enabling
this for all processes which launch after it does, adding the kernel argument
ensures it is set for every process during boot. |
| Warnings | warning
The GRUB 2 configuration file, grub.cfg,
is automatically updated each time a new kernel is installed. Note that any
changes to /etc/default/grub require rebuilding the grub.cfg
file. To update the GRUB 2 configuration file manually, use the
grub2-mkconfig -o command as follows:
|
|
|
OVAL test results detailscheck forkernel command line parameters audit=1 in /boot/grub2/grubenv for all kernels
oval:ssg-test_grub2_audit_argument_grub_env:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_grub2_audit_argument_grub_env:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /boot/grub2/grubenv | ^kernelopts=(.*)$ | 1 |
Extend Audit Backlog Limit for the Audit Daemonxccdf_org.ssgproject.content_rule_grub2_audit_backlog_limit_argument medium
Extend Audit Backlog Limit for the Audit Daemon
| Rule ID | xccdf_org.ssgproject.content_rule_grub2_audit_backlog_limit_argument |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-grub2_audit_backlog_limit_argument:def:1 |
| Time | 2021-11-16T20:08:35+00:00 |
| Severity | medium |
| Identifiers and References | References:
CCI-001849, CM-6(a), SRG-OS-000254-GPOS-00095, SRG-OS-000341-GPOS-00132 |
| Description | To improve the kernel capacity to queue all log events, even those which occurred
prior to the audit daemon, add the argument audit_backlog_limit=8192 to the default
GRUB 2 command line for the Linux operating system in
/etc/default/grub, in the manner below:
GRUB_CMDLINE_LINUX="crashkernel=auto rd.lvm.lv=VolGroup/LogVol06 rd.lvm.lv=VolGroup/lv_swap rhgb quiet rd.shell=0 audit=1 audit_backlog_limit=8192" |
| Rationale | audit_backlog_limit sets the queue length for audit events awaiting transfer
to the audit daemon. Until the audit daemon is up and running, all log messages
are stored in this queue. If the queue is overrun during boot process, the action
defined by audit failure flag is taken. |
| Warnings | warning
The GRUB 2 configuration file, grub.cfg,
is automatically updated each time a new kernel is installed. Note that any
changes to /etc/default/grub require rebuilding the grub.cfg
file. To update the GRUB 2 configuration file manually, use the
grub2-mkconfig -o command as follows:
|
|
|
OVAL test results detailscheck forkernel command line parameters audit_backlog_limit=8192 in /boot/grub2/grubenv for all kernels
oval:ssg-test_grub2_audit_backlog_limit_argument_grub_env:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_grub2_audit_backlog_limit_argument_grub_env:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /boot/grub2/grubenv | ^kernelopts=(.*)$ | 1 |
Set Boot Loader Password in grub2xccdf_org.ssgproject.content_rule_grub2_password high
Set Boot Loader Password in grub2
| Rule ID | xccdf_org.ssgproject.content_rule_grub2_password |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-grub2_password:def:1 |
| Time | 2021-11-16T20:08:36+00:00 |
| Severity | high |
| Identifiers and References | References:
BP28(R17), 1, 11, 12, 14, 15, 16, 18, 3, 5, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.06, DSS06.10, 3.4.5, CCI-000213, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, A.18.1.4, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CM-6(a), PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.PT-3, FIA_UAU.1, SRG-OS-000080-GPOS-00048 |
| Description | The grub2 boot loader should have a superuser account and password
protection enabled to protect boot-time settings.
Since plaintext passwords are a security risk, generate a hash for the password
by running the following command:
$ grub2-setpassword
When prompted, enter the password that was selected.
Once the superuser password has been added,
update the
grub.cfg file by running:
grub2-mkconfig -o /boot/grub2/grub.cfg |
| Rationale | Password protection on the boot loader configuration ensures
users with physical access cannot trivially alter
important bootloader settings. These include which kernel to use,
and whether to enter single-user mode. |
| Warnings | warning
To prevent hard-coded passwords, automatic remediation of this control is not available. Remediation
must be automated as a component of machine provisioning, or followed manually as outlined above.
Also, do NOT manually add the superuser account and password to the
grub.cfg file as the grub2-mkconfig command overwrites this file. |
OVAL test results detailsCheck if /boot/grub2/grub.cfg does not exist
oval:ssg-test_grub2_password_file_boot_grub2_grub_cfg_absent:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_grub2_password_file_boot_grub2_grub_cfg_absent:obj:1 of type
file_object
| Filepath |
|---|
| ^/boot/grub2/grub.cfg |
make sure a password is defined in /boot/grub2/user.cfg
oval:ssg-test_grub2_password_usercfg:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_grub2_password_usercfg:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /boot/grub2/user.cfg | ^[\s]*GRUB2_PASSWORD=grub\.pbkdf2\.sha512.*$ | 1 |
make sure a password is defined in /boot/grub2/grub.cfg
oval:ssg-test_grub2_password_grubcfg:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_grub2_password_grubcfg:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /boot/grub2/grub.cfg | ^[\s]*password_pbkdf2[\s]+.*[\s]+grub\.pbkdf2\.sha512.*$ | 1 |
superuser is defined in /boot/grub2/grub.cfg files.
oval:ssg-test_bootloader_superuser:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_bootloader_superuser:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /boot/grub2/grub.cfg | ^[\s]*set[\s]+superusers=("?)[a-zA-Z_]+\1$ | 1 |
Set the UEFI Boot Loader Passwordxccdf_org.ssgproject.content_rule_grub2_uefi_password high
Set the UEFI Boot Loader Password
| Rule ID | xccdf_org.ssgproject.content_rule_grub2_uefi_password |
| Result | |
| Multi-check rule | no |
| Time | 2021-11-16T20:08:36+00:00 |
| Severity | high |
| Identifiers and References | References:
BP28(R17), 11, 12, 14, 15, 16, 18, 3, 5, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.03, DSS06.06, 3.4.5, CCI-000213, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), PR.AC-4, PR.AC-6, PR.PT-3, FIA_UAU.1, SRG-OS-000080-GPOS-00048 |
| Description | The grub2 boot loader should have a superuser account and password
protection enabled to protect boot-time settings.
Since plaintext passwords are a security risk, generate a hash for the password
by running the following command:
$ grub2-setpassword
When prompted, enter the password that was selected.
Once the superuser password has been added,
update the
grub.cfg file by running:
grub2-mkconfig -o /boot/grub2/grub.cfg |
| Rationale | Password protection on the boot loader configuration ensures
users with physical access cannot trivially alter
important bootloader settings. These include which kernel to use,
and whether to enter single-user mode. |
| Warnings | warning
To prevent hard-coded passwords, automatic remediation of this control is not available. Remediation
must be automated as a component of machine provisioning, or followed manually as outlined above.
Also, do NOT manually add the superuser account and password to the
grub.cfg file as the grub2-mkconfig command overwrites this file. |
Enable Kernel Page-Table Isolation (KPTI)xccdf_org.ssgproject.content_rule_grub2_pti_argument high
Enable Kernel Page-Table Isolation (KPTI)
| Rule ID | xccdf_org.ssgproject.content_rule_grub2_pti_argument |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-grub2_pti_argument:def:1 |
| Time | 2021-11-16T20:08:36+00:00 |
| Severity | high |
| Identifiers and References | References:
CCI-000381, SI-16, SRG-OS-000433-GPOS-00193, SRG-OS-000095-GPOS-00049 |
| Description | To enable Kernel page-table isolation,
add the argument pti=on to the default
GRUB 2 command line for the Linux operating system in
/etc/default/grub, in the manner below:
GRUB_CMDLINE_LINUX="pti=on" |
| Rationale | Kernel page-table isolation is a kernel feature that mitigates
the Meltdown security vulnerability and hardens the kernel
against attempts to bypass kernel address space layout
randomization (KASLR). |
| Warnings | warning
The GRUB 2 configuration file, grub.cfg,
is automatically updated each time a new kernel is installed. Note that any
changes to /etc/default/grub require rebuilding the grub.cfg
file. To update the GRUB 2 configuration file manually, use the
grub2-mkconfig -o command as follows:
|
|
|
OVAL test results detailscheck forkernel command line parameters pti=on in /boot/grub2/grubenv for all kernels
oval:ssg-test_grub2_pti_argument_grub_env:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_grub2_pti_argument_grub_env:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /boot/grub2/grubenv | ^kernelopts=(.*)$ | 1 |
Disable vsyscallsxccdf_org.ssgproject.content_rule_grub2_vsyscall_argument medium
Disable vsyscalls
| Rule ID | xccdf_org.ssgproject.content_rule_grub2_vsyscall_argument |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-grub2_vsyscall_argument:def:1 |
| Time | 2021-11-16T20:08:36+00:00 |
| Severity | medium |
| Identifiers and References | References:
CCI-001084, CM-7(a), SRG-OS-000480-GPOS-00227, SRG-OS-000134-GPOS-00068 |
| Description | To disable use of virtual syscalls,
add the argument vsyscall=none to the default
GRUB 2 command line for the Linux operating system in
/etc/default/grub, in the manner below:
GRUB_CMDLINE_LINUX="vsyscall=none" |
| Rationale | Virtual Syscalls provide an opportunity of attack for a user who has control
of the return instruction pointer. |
| Warnings | warning
The GRUB 2 configuration file, grub.cfg,
is automatically updated each time a new kernel is installed. Note that any
changes to /etc/default/grub require rebuilding the grub.cfg
file. To update the GRUB 2 configuration file manually, use the
grub2-mkconfig -o command as follows:
|
|
|
OVAL test results detailscheck forkernel command line parameters vsyscall=none in /boot/grub2/grubenv for all kernels
oval:ssg-test_grub2_vsyscall_argument_grub_env:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_grub2_vsyscall_argument_grub_env:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /boot/grub2/grubenv | ^kernelopts=(.*)$ | 1 |
Ensure cron Is Logging To Rsyslogxccdf_org.ssgproject.content_rule_rsyslog_cron_logging medium
Ensure cron Is Logging To Rsyslog
| Rule ID | xccdf_org.ssgproject.content_rule_rsyslog_cron_logging |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-rsyslog_cron_logging:def:1 |
| Time | 2021-11-16T20:08:36+00:00 |
| Severity | medium |
| Identifiers and References | References:
1, 14, 15, 16, 3, 5, 6, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, CCI-000366, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, 0988, 1405, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.15.2.1, A.15.2.2, CM-6(a), ID.SC-4, PR.PT-1, FAU_GEN.1.1.c, SRG-OS-000480-GPOS-00227 |
| Description | Cron logging must be implemented to spot intrusions or trace
cron job status. If cron is not logging to rsyslog, it
can be implemented by adding the following to the RULES section of
/etc/rsyslog.conf:
cron.* /var/log/cron |
| Rationale | Cron logging can be used to trace the successful or unsuccessful execution
of cron jobs. It can also be used to spot intrusions into the use of the cron
facility by unauthorized and malicious users. |
|
OVAL test results detailscron is configured in /etc/rsyslog.conf
oval:ssg-test_cron_logging_rsyslog:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_cron_logging_rsyslog:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/rsyslog.conf | ^[\s]*cron\.\*[\s]+/var/log/cron$ | 1 |
cron is configured in /etc/rsyslog.d
oval:ssg-test_cron_logging_rsyslog_dir:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_cron_logging_rsyslog_dir:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/rsyslog.d | ^.*$ | ^[\s]*cron\.\*[\s]+/var/log/cron$ | 1 |
Ensure Logs Sent To Remote Hostxccdf_org.ssgproject.content_rule_rsyslog_remote_loghost medium
Ensure Logs Sent To Remote Host
| Rule ID | xccdf_org.ssgproject.content_rule_rsyslog_remote_loghost |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-rsyslog_remote_loghost:def:1 |
| Time | 2021-11-16T20:08:36+00:00 |
| Severity | medium |
| Identifiers and References | References:
BP28(R7), NT28(R43), NT12(R5), 1, 13, 14, 15, 16, 2, 3, 5, 6, APO11.04, APO13.01, BAI03.05, BAI04.04, DSS05.04, DSS05.07, MEA02.01, CCI-000366, CCI-001348, CCI-000136, CCI-001851, 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(B), 164.308(a)(5)(ii)(C), 164.308(a)(6)(ii), 164.308(a)(8), 164.310(d)(2)(iii), 164.312(b), 164.314(a)(2)(i)(C), 164.314(a)(2)(iii), 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 7.1, SR 7.2, 0988, 1405, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.17.2.1, CIP-003-3 R5.2, CIP-004-3 R3.3, CM-6(a), AU-4(1), AU-9(2), PR.DS-4, PR.PT-1, FAU_GEN.1.1.c, SRG-OS-000479-GPOS-00224, SRG-OS-000480-GPOS-00227, SRG-OS-000342-GPOS-00133, SRG-OS-000032-VMM-000130 |
| Description | To configure rsyslog to send logs to a remote log server,
open /etc/rsyslog.conf and read and understand the last section of the file,
which describes the multiple directives necessary to activate remote
logging.
Along with these other directives, the system can be configured
to forward its logs to a particular log server by
adding or correcting one of the following lines,
substituting logcollector appropriately.
The choice of protocol depends on the environment of the system;
although TCP and RELP provide more reliable message delivery,
they may not be supported in all environments.
To use UDP for log message delivery:
*.* @logcollector
To use TCP for log message delivery:
*.* @@logcollector
To use RELP for log message delivery:
*.* :omrelp:logcollector
There must be a resolvable DNS CNAME or Alias record set to " logcollector" for logs to be sent correctly to the centralized logging utility. |
| Rationale | A log server (loghost) receives syslog messages from one or more
systems. This data can be used as an additional log source in the event a
system is compromised and its local logs are suspect. Forwarding log messages
to a remote loghost also provides system administrators with a centralized
place to view the status of multiple hosts within the enterprise. |
|
|
OVAL test results detailsEnsures system configured to export logs to remote host
oval:ssg-test_remote_rsyslog_conf:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_remote_loghost_rsyslog_conf:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/rsyslog.conf | ^\*\.\*[\s]+(?:@|\:omrelp\:) | 1 |
Ensures system configured to export logs to remote host
oval:ssg-test_remote_rsyslog_d:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_remote_loghost_rsyslog_d:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/rsyslog.d | .* | ^\*\.\*[\s]+(?:@|\:omrelp\:) | 1 |
Verify firewalld Enabledxccdf_org.ssgproject.content_rule_service_firewalld_enabled medium
Verify firewalld Enabled
| Rule ID | xccdf_org.ssgproject.content_rule_service_firewalld_enabled |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-service_firewalld_enabled:def:1 |
| Time | 2021-11-16T20:08:36+00:00 |
| Severity | medium |
| Identifiers and References | References:
11, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, 3.1.3, 3.4.7, CCI-000366, CCI-000382, CCI-002314, 4.3.4.3.2, 4.3.4.3.3, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, CIP-003-3 R4, CIP-003-3 R5, CIP-004-3 R3, AC-4, CM-7(b), CA-3(5), SC-7(21), CM-6(a), PR.IP-1, FMT_MOF_EXT.1, SRG-OS-000096-GPOS-00050, SRG-OS-000297-GPOS-00115, SRG-OS-000480-GPOS-00227, SRG-OS-000480-GPOS-00231, SRG-OS-000480-GPOS-00232 |
| Description |
The firewalld service can be enabled with the following command:
$ sudo systemctl enable firewalld.service |
| Rationale | Access control methods provide the ability to enhance system security posture
by restricting services and known good IP addresses and address ranges. This
prevents connections from unknown hosts and protocols. |
|
|
|
OVAL test results detailspackage firewalld is installed
oval:ssg-test_service_firewalld_package_firewalld_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_service_firewalld_package_firewalld_installed:obj:1 of type
rpminfo_object
Test that the firewalld service is running
oval:ssg-test_service_running_firewalld:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_service_running_firewalld:obj:1 of type
systemdunitproperty_object
| Unit | Property |
|---|
| ^firewalld\.(socket|service)$ | ActiveState |
systemd test
oval:ssg-test_multi_user_wants_firewalld:tst:1
false
Following items have been found on the system:
| Unit | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency |
|---|
| multi-user.target | basic.target | -.mount | sysinit.target | systemd-tmpfiles-setup-dev.service | sys-fs-fuse-connections.mount | proc-sys-fs-binfmt_misc.automount | selinux-autorelabel-mark.service | systemd-boot-system-token.service | cryptsetup.target | local-fs.target | boot-efi.mount | boot.mount | home.mount | tmp.mount | systemd-remount-fs.service | systemd-udev-trigger.service | systemd-sysctl.service | veritysetup.target | systemd-journald.service | kmod-static-nodes.service | ldconfig.service | systemd-sysusers.service | dracut-shutdown.service | systemd-update-done.service | systemd-journal-catalog-update.service | systemd-hwdb-update.service | swap.target | dev-zram0.swap | systemd-repart.service | systemd-binfmt.service | sys-kernel-config.mount | systemd-tmpfiles-setup.service | systemd-random-seed.service | import-state.service | systemd-udevd.service | systemd-journal-flush.service | sys-kernel-tracing.mount | systemd-machine-id-commit.service | systemd-modules-load.service | sys-kernel-debug.mount | systemd-update-utmp.service | systemd-firstboot.service | dev-hugepages.mount | dev-mqueue.mount | systemd-ask-password-console.path | slices.target | -.slice | system.slice | timers.target | dnf-makecache.timer | dnf-automatic.timer | systemd-tmpfiles-clean.timer | unbound-anchor.timer | fstrim.timer | paths.target | sockets.target | systemd-udevd-kernel.socket | systemd-coredump.socket | systemd-journald-dev-log.socket | systemd-journald.socket | sssd-kcm.socket | systemd-userdbd.socket | systemd-journald-audit.socket | dbus.socket | systemd-initctl.socket | systemd-udevd-control.socket | rpmdb-rebuild.service | systemd-logind.service | systemd-ask-password-wall.path | systemd-homed.service | chronyd.service | auditd.service | systemd-oomd.service | sssd.service | getty.target | getty@tty1.service | NetworkManager.service | remote-fs.target | systemd-update-utmp-runlevel.service | systemd-user-sessions.service | systemd-resolved.service | sshd.service |
systemd test
oval:ssg-test_multi_user_wants_firewalld_socket:tst:1
false
Following items have been found on the system:
| Unit | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency |
|---|
| multi-user.target | basic.target | -.mount | sysinit.target | systemd-tmpfiles-setup-dev.service | sys-fs-fuse-connections.mount | proc-sys-fs-binfmt_misc.automount | selinux-autorelabel-mark.service | systemd-boot-system-token.service | cryptsetup.target | local-fs.target | boot-efi.mount | boot.mount | home.mount | tmp.mount | systemd-remount-fs.service | systemd-udev-trigger.service | systemd-sysctl.service | veritysetup.target | systemd-journald.service | kmod-static-nodes.service | ldconfig.service | systemd-sysusers.service | dracut-shutdown.service | systemd-update-done.service | systemd-journal-catalog-update.service | systemd-hwdb-update.service | swap.target | dev-zram0.swap | systemd-repart.service | systemd-binfmt.service | sys-kernel-config.mount | systemd-tmpfiles-setup.service | systemd-random-seed.service | import-state.service | systemd-udevd.service | systemd-journal-flush.service | sys-kernel-tracing.mount | systemd-machine-id-commit.service | systemd-modules-load.service | sys-kernel-debug.mount | systemd-update-utmp.service | systemd-firstboot.service | dev-hugepages.mount | dev-mqueue.mount | systemd-ask-password-console.path | slices.target | -.slice | system.slice | timers.target | dnf-makecache.timer | dnf-automatic.timer | systemd-tmpfiles-clean.timer | unbound-anchor.timer | fstrim.timer | paths.target | sockets.target | systemd-udevd-kernel.socket | systemd-coredump.socket | systemd-journald-dev-log.socket | systemd-journald.socket | sssd-kcm.socket | systemd-userdbd.socket | systemd-journald-audit.socket | dbus.socket | systemd-initctl.socket | systemd-udevd-control.socket | rpmdb-rebuild.service | systemd-logind.service | systemd-ask-password-wall.path | systemd-homed.service | chronyd.service | auditd.service | systemd-oomd.service | sssd.service | getty.target | getty@tty1.service | NetworkManager.service | remote-fs.target | systemd-update-utmp-runlevel.service | systemd-user-sessions.service | systemd-resolved.service | sshd.service |
Set Default firewalld Zone for Incoming Packetsxccdf_org.ssgproject.content_rule_set_firewalld_default_zone medium
Set Default firewalld Zone for Incoming Packets
| Rule ID | xccdf_org.ssgproject.content_rule_set_firewalld_default_zone |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-set_firewalld_default_zone:def:1 |
| Time | 2021-11-16T20:08:36+00:00 |
| Severity | medium |
| Identifiers and References | References:
11, 14, 3, 9, 5.10.1, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 3.1.3, 3.4.7, 3.13.6, CCI-000366, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, 1416, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CA-3(5), CM-7(b), SC-7(23), CM-6(a), PR.IP-1, PR.PT-3, FMT_MOF_EXT.1, SRG-OS-000480-GPOS-00227, SRG-OS-000480-VMM-002000 |
| Description | To set the default zone to drop for
the built-in default zone which processes incoming IPv4 and IPv6 packets,
modify the following line in
/etc/firewalld/firewalld.conf to be:
DefaultZone=drop |
| Rationale | In firewalld the default zone is applied only after all
the applicable rules in the table are examined for a match. Setting the
default zone to drop implements proper design for a firewall, i.e.
any packets which are not explicitly permitted should not be
accepted. |
| Warnings | warning
To prevent denying any access to the system, automatic remediation
of this control is not available. Remediation must be automated as
a component of machine provisioning, or followed manually as outlined
above. |
OVAL test results detailsCheck /etc/firewalld/firewalld.conf DefaultZone for drop
oval:ssg-test_firewalld_input_drop:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_firewalld_input_drop:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/firewalld/firewalld.conf | ^DefaultZone=drop$ | 1 |
Disable ATM Supportxccdf_org.ssgproject.content_rule_kernel_module_atm_disabled medium
Disable ATM Support
| Rule ID | xccdf_org.ssgproject.content_rule_kernel_module_atm_disabled |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-kernel_module_atm_disabled:def:1 |
| Time | 2021-11-16T20:08:36+00:00 |
| Severity | medium |
| Identifiers and References | References:
CCI-000381, FMT_SMF_EXT.1, SRG-OS-000095-GPOS-00049 |
| Description | The Asynchronous Transfer Mode (ATM) is a protocol operating on
network, data link, and physical layers, based on virtual circuits
and virtual paths.
To configure the system to prevent the atm
kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d:
install atm /bin/true |
| Rationale | Disabling ATM protects the system against exploitation of any
flaws in its implementation. |
|
|
|
OVAL test results detailskernel module atm disabled
oval:ssg-test_kernmod_atm_disabled:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_atm_disabled:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/modprobe.d | ^.*\.conf$ | ^\s*install\s+atm\s+(/bin/false|/bin/true)$ | 1 |
kernel module atm disabled in /etc/modules-load.d
oval:ssg-test_kernmod_atm_etcmodules-load:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_atm_etcmodules-load:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/modules-load.d | ^.*\.conf$ | ^\s*install\s+atm\s+(/bin/false|/bin/true)$ | 1 |
kernel module atm disabled in /run/modules-load.d
oval:ssg-test_kernmod_atm_runmodules-load:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_atm_runmodules-load:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /run/modules-load.d | ^.*\.conf$ | ^\s*install\s+atm\s+(/bin/false|/bin/true)$ | 1 |
kernel module atm disabled in /usr/lib/modules-load.d
oval:ssg-test_kernmod_atm_libmodules-load:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_atm_libmodules-load:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /usr/lib/modules-load.d | ^.*\.conf$ | ^\s*install\s+atm\s+(/bin/false|/bin/true)$ | 1 |
kernel module atm disabled in /run/modprobe.d
oval:ssg-test_kernmod_atm_runmodprobed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_atm_runmodprobed:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /run/modprobe.d | ^.*\.conf$ | ^\s*install\s+atm\s+(/bin/false|/bin/true)$ | 1 |
kernel module atm disabled in /usr/lib/modprobe.d
oval:ssg-test_kernmod_atm_libmodprobed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_atm_libmodprobed:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /usr/lib/modprobe.d | ^.*\.conf$ | ^\s*install\s+atm\s+(/bin/false|/bin/true)$ | 1 |
kernel module atm disabled in /etc/modprobe.conf
oval:ssg-test_kernmod_atm_modprobeconf:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_atm_modprobeconf:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/modprobe.conf | ^\s*install\s+atm\s+(/bin/false|/bin/true)$ | 1 |
Disable CAN Supportxccdf_org.ssgproject.content_rule_kernel_module_can_disabled medium
Disable CAN Support
| Rule ID | xccdf_org.ssgproject.content_rule_kernel_module_can_disabled |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-kernel_module_can_disabled:def:1 |
| Time | 2021-11-16T20:08:36+00:00 |
| Severity | medium |
| Identifiers and References | References:
CCI-000381, FMT_SMF_EXT.1, SRG-OS-000095-GPOS-00049 |
| Description | The Controller Area Network (CAN) is a serial communications
protocol which was initially developed for automotive and
is now also used in marine, industrial, and medical applications.
To configure the system to prevent the can
kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d:
install can /bin/true |
| Rationale | Disabling CAN protects the system against exploitation of any
flaws in its implementation. |
|
|
|
OVAL test results detailskernel module can disabled
oval:ssg-test_kernmod_can_disabled:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_can_disabled:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/modprobe.d | ^.*\.conf$ | ^\s*install\s+can\s+(/bin/false|/bin/true)$ | 1 |
kernel module can disabled in /etc/modules-load.d
oval:ssg-test_kernmod_can_etcmodules-load:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_can_etcmodules-load:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/modules-load.d | ^.*\.conf$ | ^\s*install\s+can\s+(/bin/false|/bin/true)$ | 1 |
kernel module can disabled in /run/modules-load.d
oval:ssg-test_kernmod_can_runmodules-load:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_can_runmodules-load:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /run/modules-load.d | ^.*\.conf$ | ^\s*install\s+can\s+(/bin/false|/bin/true)$ | 1 |
kernel module can disabled in /usr/lib/modules-load.d
oval:ssg-test_kernmod_can_libmodules-load:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_can_libmodules-load:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /usr/lib/modules-load.d | ^.*\.conf$ | ^\s*install\s+can\s+(/bin/false|/bin/true)$ | 1 |
kernel module can disabled in /run/modprobe.d
oval:ssg-test_kernmod_can_runmodprobed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_can_runmodprobed:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /run/modprobe.d | ^.*\.conf$ | ^\s*install\s+can\s+(/bin/false|/bin/true)$ | 1 |
kernel module can disabled in /usr/lib/modprobe.d
oval:ssg-test_kernmod_can_libmodprobed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_can_libmodprobed:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /usr/lib/modprobe.d | ^.*\.conf$ | ^\s*install\s+can\s+(/bin/false|/bin/true)$ | 1 |
kernel module can disabled in /etc/modprobe.conf
oval:ssg-test_kernmod_can_modprobeconf:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_can_modprobeconf:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/modprobe.conf | ^\s*install\s+can\s+(/bin/false|/bin/true)$ | 1 |
Disable IEEE 1394 (FireWire) Supportxccdf_org.ssgproject.content_rule_kernel_module_firewire-core_disabled medium
Disable IEEE 1394 (FireWire) Support
| Rule ID | xccdf_org.ssgproject.content_rule_kernel_module_firewire-core_disabled |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-kernel_module_firewire-core_disabled:def:1 |
| Time | 2021-11-16T20:08:36+00:00 |
| Severity | medium |
| Identifiers and References | References:
CCI-000381, FMT_SMF_EXT.1, SRG-OS-000095-GPOS-00049 |
| Description | The IEEE 1394 (FireWire) is a serial bus standard for
high-speed real-time communication.
To configure the system to prevent the firewire-core
kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d:
install firewire-core /bin/true |
| Rationale | Disabling FireWire protects the system against exploitation of any
flaws in its implementation. |
|
|
|
OVAL test results detailskernel module firewire-core disabled
oval:ssg-test_kernmod_firewire-core_disabled:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_firewire-core_disabled:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/modprobe.d | ^.*\.conf$ | ^\s*install\s+firewire-core\s+(/bin/false|/bin/true)$ | 1 |
kernel module firewire-core disabled in /etc/modules-load.d
oval:ssg-test_kernmod_firewire-core_etcmodules-load:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_firewire-core_etcmodules-load:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/modules-load.d | ^.*\.conf$ | ^\s*install\s+firewire-core\s+(/bin/false|/bin/true)$ | 1 |
kernel module firewire-core disabled in /run/modules-load.d
oval:ssg-test_kernmod_firewire-core_runmodules-load:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_firewire-core_runmodules-load:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /run/modules-load.d | ^.*\.conf$ | ^\s*install\s+firewire-core\s+(/bin/false|/bin/true)$ | 1 |
kernel module firewire-core disabled in /usr/lib/modules-load.d
oval:ssg-test_kernmod_firewire-core_libmodules-load:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_firewire-core_libmodules-load:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /usr/lib/modules-load.d | ^.*\.conf$ | ^\s*install\s+firewire-core\s+(/bin/false|/bin/true)$ | 1 |
kernel module firewire-core disabled in /run/modprobe.d
oval:ssg-test_kernmod_firewire-core_runmodprobed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_firewire-core_runmodprobed:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /run/modprobe.d | ^.*\.conf$ | ^\s*install\s+firewire-core\s+(/bin/false|/bin/true)$ | 1 |
kernel module firewire-core disabled in /usr/lib/modprobe.d
oval:ssg-test_kernmod_firewire-core_libmodprobed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_firewire-core_libmodprobed:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /usr/lib/modprobe.d | ^.*\.conf$ | ^\s*install\s+firewire-core\s+(/bin/false|/bin/true)$ | 1 |
kernel module firewire-core disabled in /etc/modprobe.conf
oval:ssg-test_kernmod_firewire-core_modprobeconf:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_firewire-core_modprobeconf:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/modprobe.conf | ^\s*install\s+firewire-core\s+(/bin/false|/bin/true)$ | 1 |
Disable TIPC Supportxccdf_org.ssgproject.content_rule_kernel_module_tipc_disabled medium
Disable TIPC Support
| Rule ID | xccdf_org.ssgproject.content_rule_kernel_module_tipc_disabled |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-kernel_module_tipc_disabled:def:1 |
| Time | 2021-11-16T20:08:36+00:00 |
| Severity | medium |
| Identifiers and References | References:
11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, CCI-000381, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.IP-1, PR.PT-3, FMT_SMF_EXT.1, SRG-OS-000095-GPOS-00049 |
| Description | The Transparent Inter-Process Communication (TIPC) protocol
is designed to provide communications between nodes in a
cluster.
To configure the system to prevent the tipc
kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d:
install tipc /bin/true |
| Rationale | Disabling TIPC protects
the system against exploitation of any flaws in its implementation. |
| Warnings | warning
This configuration baseline was created to deploy the base operating system for general purpose
workloads. When the operating system is configured for certain purposes, such as
a node in High Performance Computing cluster, it is expected that
the tipc kernel module will be loaded. |
|
|
|
OVAL test results detailskernel module tipc disabled
oval:ssg-test_kernmod_tipc_disabled:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_tipc_disabled:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/modprobe.d | ^.*\.conf$ | ^\s*install\s+tipc\s+(/bin/false|/bin/true)$ | 1 |
kernel module tipc disabled in /etc/modules-load.d
oval:ssg-test_kernmod_tipc_etcmodules-load:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_tipc_etcmodules-load:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/modules-load.d | ^.*\.conf$ | ^\s*install\s+tipc\s+(/bin/false|/bin/true)$ | 1 |
kernel module tipc disabled in /run/modules-load.d
oval:ssg-test_kernmod_tipc_runmodules-load:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_tipc_runmodules-load:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /run/modules-load.d | ^.*\.conf$ | ^\s*install\s+tipc\s+(/bin/false|/bin/true)$ | 1 |
kernel module tipc disabled in /usr/lib/modules-load.d
oval:ssg-test_kernmod_tipc_libmodules-load:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_tipc_libmodules-load:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /usr/lib/modules-load.d | ^.*\.conf$ | ^\s*install\s+tipc\s+(/bin/false|/bin/true)$ | 1 |
kernel module tipc disabled in /run/modprobe.d
oval:ssg-test_kernmod_tipc_runmodprobed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_tipc_runmodprobed:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /run/modprobe.d | ^.*\.conf$ | ^\s*install\s+tipc\s+(/bin/false|/bin/true)$ | 1 |
kernel module tipc disabled in /usr/lib/modprobe.d
oval:ssg-test_kernmod_tipc_libmodprobed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_tipc_libmodprobed:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /usr/lib/modprobe.d | ^.*\.conf$ | ^\s*install\s+tipc\s+(/bin/false|/bin/true)$ | 1 |
kernel module tipc disabled in /etc/modprobe.conf
oval:ssg-test_kernmod_tipc_modprobeconf:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_kernmod_tipc_modprobeconf:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/modprobe.conf | ^\s*install\s+tipc\s+(/bin/false|/bin/true)$ | 1 |
Add nodev Option to /dev/shmxccdf_org.ssgproject.content_rule_mount_option_dev_shm_nodev low
Add nodev Option to /dev/shm
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nodev |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-mount_option_dev_shm_nodev:def:1 |
| Time | 2021-11-16T20:08:36+00:00 |
| Severity | low |
| Identifiers and References | References:
11, 13, 14, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS05.06, DSS06.06, CCI-001764, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2, CIP-003-3 R5.1.1, CIP-003-3 R5.3, CIP-004-3 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154 |
| Description | The nodev mount option can be used to prevent creation of device
files in /dev/shm. Legitimate character and block devices should
not exist within temporary directories like /dev/shm.
Add the nodev option to the fourth column of
/etc/fstab for the line which controls mounting of
/dev/shm. |
| Rationale | The only legitimate location for device files is the /dev directory
located on the root partition. The only exception to this is chroot jails. |
OVAL test results detailsnodev on /dev/shm optional no
oval:ssg-test_dev_shm_partition_nodev_optional_no:tst:1
true
Following items have been found on the system:
| Mount point | Device | Uuid | Fs type | Mount options | Mount options | Mount options | Mount options | Mount options | Total space | Space used | Space left |
|---|
| /dev/shm | tmpfs | | tmpfs | rw | seclabel | nosuid | nodev | inode64 | 58413 | 0 | 58413 |
/dev/shm exists
oval:ssg-test_dev_shm_no_partition_nodev_optional_no:tst:1
true
Following items have been found on the system:
| Mount point | Device | Uuid | Fs type | Mount options | Mount options | Mount options | Mount options | Mount options | Total space | Space used | Space left |
|---|
| /dev/shm | tmpfs | | tmpfs | rw | seclabel | nosuid | nodev | inode64 | 58413 | 0 | 58413 |
Add noexec Option to /dev/shmxccdf_org.ssgproject.content_rule_mount_option_dev_shm_noexec low
Add noexec Option to /dev/shm
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_dev_shm_noexec |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-mount_option_dev_shm_noexec:def:1 |
| Time | 2021-11-16T20:08:36+00:00 |
| Severity | low |
| Identifiers and References | References:
11, 13, 14, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS05.06, DSS06.06, CCI-001764, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2, CIP-003-3 R5.1.1, CIP-003-3 R5.3, CIP-004-3 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154 |
| Description | The noexec mount option can be used to prevent binaries
from being executed out of /dev/shm.
It can be dangerous to allow the execution of binaries
from world-writable temporary storage directories such as /dev/shm.
Add the noexec option to the fourth column of
/etc/fstab for the line which controls mounting of
/dev/shm. |
| Rationale | Allowing users to execute binaries from world-writable directories
such as /dev/shm can expose the system to potential compromise. |
|
|
OVAL test results detailsnoexec on /dev/shm optional no
oval:ssg-test_dev_shm_partition_noexec_optional_no:tst:1
false
Following items have been found on the system:
| Mount point | Device | Uuid | Fs type | Mount options | Mount options | Mount options | Mount options | Mount options | Total space | Space used | Space left |
|---|
| /dev/shm | tmpfs | | tmpfs | rw | seclabel | nosuid | nodev | inode64 | 58413 | 0 | 58413 |
/dev/shm exists
oval:ssg-test_dev_shm_no_partition_noexec_optional_no:tst:1
true
Following items have been found on the system:
| Mount point | Device | Uuid | Fs type | Mount options | Mount options | Mount options | Mount options | Mount options | Total space | Space used | Space left |
|---|
| /dev/shm | tmpfs | | tmpfs | rw | seclabel | nosuid | nodev | inode64 | 58413 | 0 | 58413 |
Add nosuid Option to /dev/shmxccdf_org.ssgproject.content_rule_mount_option_dev_shm_nosuid low
Add nosuid Option to /dev/shm
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nosuid |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-mount_option_dev_shm_nosuid:def:1 |
| Time | 2021-11-16T20:08:36+00:00 |
| Severity | low |
| Identifiers and References | References:
11, 13, 14, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS05.06, DSS06.06, CCI-001764, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2, CIP-003-3 R5.1.1, CIP-003-3 R5.3, CIP-004-3 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154 |
| Description | The nosuid mount option can be used to prevent execution
of setuid programs in /dev/shm. The SUID and SGID permissions should not
be required in these world-writable directories.
Add the nosuid option to the fourth column of
/etc/fstab for the line which controls mounting of
/dev/shm. |
| Rationale | The presence of SUID and SGID executables should be tightly controlled. Users
should not be able to execute SUID or SGID binaries from temporary storage partitions. |
OVAL test results detailsnosuid on /dev/shm optional no
oval:ssg-test_dev_shm_partition_nosuid_optional_no:tst:1
true
Following items have been found on the system:
| Mount point | Device | Uuid | Fs type | Mount options | Mount options | Mount options | Mount options | Mount options | Total space | Space used | Space left |
|---|
| /dev/shm | tmpfs | | tmpfs | rw | seclabel | nosuid | nodev | inode64 | 58413 | 0 | 58413 |
/dev/shm exists
oval:ssg-test_dev_shm_no_partition_nosuid_optional_no:tst:1
true
Following items have been found on the system:
| Mount point | Device | Uuid | Fs type | Mount options | Mount options | Mount options | Mount options | Mount options | Total space | Space used | Space left |
|---|
| /dev/shm | tmpfs | | tmpfs | rw | seclabel | nosuid | nodev | inode64 | 58413 | 0 | 58413 |
Disable acquiring, saving, and processing core dumpsxccdf_org.ssgproject.content_rule_service_systemd-coredump_disabled medium
Disable acquiring, saving, and processing core dumps
| Rule ID | xccdf_org.ssgproject.content_rule_service_systemd-coredump_disabled |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-service_systemd-coredump_disabled:def:1 |
| Time | 2021-11-16T20:08:36+00:00 |
| Severity | medium |
| Identifiers and References | References:
CCI-000366, FMT_SMF_EXT.1, SRG-OS-000480-GPOS-00227 |
| Description | The systemd-coredump.socket unit is a socket activation of
the systemd-coredump@.service which processes core dumps.
By masking the unit, core dump processing is disabled. |
| Rationale | A core dump includes a memory image taken at the time the operating system
terminates an application. The memory image could contain sensitive data
and is generally useful only for developers trying to debug problems. |
|
|
|
|
OVAL test results detailspackage systemd is removed
oval:ssg-test_service_systemd-coredump_package_systemd_removed:tst:1
false
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| systemd | x86_64 | (none) | 2.fc35 | 249.4 | 0:249.4-2.fc35 | db4639719867c58f | systemd-0:249.4-2.fc35.x86_64 |
Test that the systemd-coredump service is not running
oval:ssg-test_service_not_running_systemd-coredump:tst:1
false
Following items have been found on the system:
| Unit | Property | Value |
|---|
| systemd-coredump.socket | ActiveState | active |
Test that the property LoadState from the service systemd-coredump is masked
oval:ssg-test_service_loadstate_is_masked_systemd-coredump:tst:1
false
Following items have been found on the system:
| Unit | Property | Value |
|---|
| systemd-coredump.socket | LoadState | loaded |
Disable core dump backtracesxccdf_org.ssgproject.content_rule_coredump_disable_backtraces medium
Disable core dump backtraces
| Rule ID | xccdf_org.ssgproject.content_rule_coredump_disable_backtraces |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-coredump_disable_backtraces:def:1 |
| Time | 2021-11-16T20:08:36+00:00 |
| Severity | medium |
| Identifiers and References | References:
CCI-000366, FMT_SMF_EXT.1, SRG-OS-000480-GPOS-00227 |
| Description | The ProcessSizeMax option in [Coredump] section
of /etc/systemd/coredump.conf
specifies the maximum size in bytes of a core which will be processed.
Core dumps exceeding this size may be stored, but the backtrace will not
be generated. |
| Rationale | A core dump includes a memory image taken at the time the operating system
terminates an application. The memory image could contain sensitive data
and is generally useful only for developers or system operators trying to
debug problems.
Enabling core dumps on production systems is not recommended,
however there may be overriding operational requirements to enable advanced
debuging. Permitting temporary enablement of core dumps during such situations
should be reviewed through local needs and policy. |
| Warnings | warning
If the /etc/systemd/coredump.conf file
does not already contain the [Coredump] section,
the value will not be configured correctly. |
|
|
|
OVAL test results detailstests the value of ProcessSizeMax setting in the /etc/systemd/coredump.conf file
oval:ssg-test_coredump_disable_backtraces:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_coredump_disable_backtraces:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/systemd/coredump.conf | ^\s*\[Coredump\].*(?:\n\s*[^[\s].*)*\n^[ \t]*(?i)ProcessSizeMax(?-i)[ \t]*=[ \t]*(.+?)[ \t]*(?:$|#) | 1 |
Disable storing core dumpxccdf_org.ssgproject.content_rule_coredump_disable_storage medium
Disable storing core dump
| Rule ID | xccdf_org.ssgproject.content_rule_coredump_disable_storage |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-coredump_disable_storage:def:1 |
| Time | 2021-11-16T20:08:36+00:00 |
| Severity | medium |
| Identifiers and References | References:
CCI-000366, FMT_SMF_EXT.1, SRG-OS-000480-GPOS-00227 |
| Description | The Storage option in [Coredump] section
of /etc/systemd/coredump.conf
can be set to none to disable storing core dumps permanently. |
| Rationale | A core dump includes a memory image taken at the time the operating system
terminates an application. The memory image could contain sensitive data
and is generally useful only for developers or system operators trying to
debug problems. Enabling core dumps on production systems is not recommended,
however there may be overriding operational requirements to enable advanced
debuging. Permitting temporary enablement of core dumps during such situations
should be reviewed through local needs and policy. |
| Warnings | warning
If the /etc/systemd/coredump.conf file
does not already contain the [Coredump] section,
the value will not be configured correctly. |
|
|
|
OVAL test results detailstests the value of Storage setting in the /etc/systemd/coredump.conf file
oval:ssg-test_coredump_disable_storage:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_coredump_disable_storage:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/systemd/coredump.conf | ^\s*\[Coredump\].*(?:\n\s*[^[\s].*)*\n^[ \t]*(?i)Storage(?-i)[ \t]*=[ \t]*(.+?)[ \t]*(?:$|#) | 1 |
Restrict Exposed Kernel Pointer Addresses Accessxccdf_org.ssgproject.content_rule_sysctl_kernel_kptr_restrict medium
Restrict Exposed Kernel Pointer Addresses Access
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_kernel_kptr_restrict |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sysctl_kernel_kptr_restrict:def:1 |
| Time | 2021-11-16T20:08:36+00:00 |
| Severity | medium |
| Identifiers and References | References:
BP28(R23), CCI-002824, CCI-000366, CIP-002-3 R1.1, CIP-002-3 R1.2, CIP-003-3 R5.1.1, CIP-003-3 R5.3, CIP-004-3 4.1, CIP-004-3 4.2, CIP-004-3 R2.2.3, CIP-004-3 R2.2.4, CIP-004-3 R2.3, CIP-004-3 R4, CIP-005-3a R1, CIP-005-3a R1.1, CIP-005-3a R1.2, CIP-007-3 R3, CIP-007-3 R3.1, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, CIP-007-3 R8.4, CIP-009-3 R.1.1, CIP-009-3 R4, SC-30, SC-30(2), SC-30(5), CM-6(a), SRG-OS-000132-GPOS-00067, SRG-OS-000433-GPOS-00192, SRG-OS-000480-GPOS-00227 |
| Description | To set the runtime status of the kernel.kptr_restrict kernel parameter, run the following command: $ sudo sysctl -w kernel.kptr_restrict=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.kptr_restrict = 1 |
| Rationale | Exposing kernel pointers (through procfs or seq_printf()) exposes
kernel writeable structures that can contain functions pointers. If a write vulnereability occurs
in the kernel allowing a write access to any of this structure, the kernel can be compromise. This
option disallow any program withtout the CAP_SYSLOG capability from getting the kernel pointers addresses,
replacing them with 0. |
|
|
|
OVAL test results detailskernel.kptr_restrict static configuration
oval:ssg-test_static_sysctl_kernel_kptr_restrict:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_sysctl_kernel_kptr_restrict:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/sysctl.conf | ^[\s]*kernel.kptr_restrict[\s]*=[\s]*1[\s]*$ | 1 |
kernel.kptr_restrict static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_etc_sysctld_kernel_kptr_restrict:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_etc_sysctld_kernel_kptr_restrict:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/sysctl.d | ^.*\.conf$ | ^[\s]*kernel.kptr_restrict[\s]*=[\s]*1[\s]*$ | 1 |
kernel.kptr_restrict static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_run_sysctld_kernel_kptr_restrict:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_run_sysctld_kernel_kptr_restrict:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /run/sysctl.d | ^.*\.conf$ | ^[\s]*kernel.kptr_restrict[\s]*=[\s]*1[\s]*$ | 1 |
kernel.kptr_restrict static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_usr_lib_sysctld_kernel_kptr_restrict:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_kernel_kptr_restrict:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /usr/lib/sysctl.d | ^.*\.conf$ | ^[\s]*kernel.kptr_restrict[\s]*=[\s]*1[\s]*$ | 1 |
kernel runtime parameter kernel.kptr_restrict set to 1
oval:ssg-test_sysctl_runtime_kernel_kptr_restrict:tst:1
false
Following items have been found on the system:
| Name | Value |
|---|
| kernel.kptr_restrict | 0 |
Enable page allocator poisoningxccdf_org.ssgproject.content_rule_grub2_page_poison_argument medium
Enable page allocator poisoning
| Rule ID | xccdf_org.ssgproject.content_rule_grub2_page_poison_argument |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-grub2_page_poison_argument:def:1 |
| Time | 2021-11-16T20:08:36+00:00 |
| Severity | medium |
| Identifiers and References | References:
CCI-001084, CM-6(a), SRG-OS-000480-GPOS-00227, SRG-OS-000134-GPOS-00068 |
| Description | To enable poisoning of free pages,
add the argument page_poison=1 to the default
GRUB 2 command line for the Linux operating system in
/etc/default/grub, in the manner below:
GRUB_CMDLINE_LINUX="page_poison=1" |
| Rationale | Poisoning writes an arbitrary value to freed pages, so any modification or
reference to that page after being freed or before being initialized will be
detected and prevented.
This prevents many types of use-after-free vulnerabilities at little performance cost.
Also prevents leak of data and detection of corrupted memory. |
| Warnings | warning
The GRUB 2 configuration file, grub.cfg,
is automatically updated each time a new kernel is installed. Note that any
changes to /etc/default/grub require rebuilding the grub.cfg
file. To update the GRUB 2 configuration file manually, use the
grub2-mkconfig -o command as follows:
|
|
|
OVAL test results detailscheck forkernel command line parameters page_poison=1 in /boot/grub2/grubenv for all kernels
oval:ssg-test_grub2_page_poison_argument_grub_env:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_grub2_page_poison_argument_grub_env:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /boot/grub2/grubenv | ^kernelopts=(.*)$ | 1 |
Enable SLUB/SLAB allocator poisoningxccdf_org.ssgproject.content_rule_grub2_slub_debug_argument medium
Enable SLUB/SLAB allocator poisoning
| Rule ID | xccdf_org.ssgproject.content_rule_grub2_slub_debug_argument |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-grub2_slub_debug_argument:def:1 |
| Time | 2021-11-16T20:08:36+00:00 |
| Severity | medium |
| Identifiers and References | References:
CCI-001084, CM-6(a), SRG-OS-000433-GPOS-00192, SRG-OS-000134-GPOS-00068 |
| Description | To enable poisoning of SLUB/SLAB objects,
add the argument slub_debug=P to the default
GRUB 2 command line for the Linux operating system in
/etc/default/grub, in the manner below:
GRUB_CMDLINE_LINUX="slub_debug=P" |
| Rationale | Poisoning writes an arbitrary value to freed objects, so any modification or
reference to that object after being freed or before being initialized will be
detected and prevented.
This prevents many types of use-after-free vulnerabilities at little performance cost.
Also prevents leak of data and detection of corrupted memory. |
| Warnings | warning
The GRUB 2 configuration file, grub.cfg,
is automatically updated each time a new kernel is installed. Note that any
changes to /etc/default/grub require rebuilding the grub.cfg
file. To update the GRUB 2 configuration file manually, use the
grub2-mkconfig -o command as follows:
|
|
|
OVAL test results detailscheck forkernel command line parameters slub_debug=P in /boot/grub2/grubenv for all kernels
oval:ssg-test_grub2_slub_debug_argument_grub_env:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_grub2_slub_debug_argument_grub_env:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /boot/grub2/grubenv | ^kernelopts=(.*)$ | 1 |
Disable storing core dumpsxccdf_org.ssgproject.content_rule_sysctl_kernel_core_pattern medium
Disable storing core dumps
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_kernel_core_pattern |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sysctl_kernel_core_pattern:def:1 |
| Time | 2021-11-16T20:08:36+00:00 |
| Severity | medium |
| Identifiers and References | References:
CCI-000366, FMT_SMF_EXT.1, SRG-OS-000480-GPOS-00227 |
| Description | To set the runtime status of the kernel.core_pattern kernel parameter, run the following command: $ sudo sysctl -w kernel.core_pattern=|/bin/false
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.core_pattern = |/bin/false |
| Rationale | A core dump includes a memory image taken at the time the operating system
terminates an application. The memory image could contain sensitive data and is generally useful
only for developers trying to debug problems. |
|
|
|
OVAL test results detailskernel.core_pattern static configuration
oval:ssg-test_static_sysctl_kernel_core_pattern:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_sysctl_kernel_core_pattern:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/sysctl.conf | ^[\s]*kernel.core_pattern[\s]*=[\s]*|/bin/false[\s]*$ | 1 |
kernel.core_pattern static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_etc_sysctld_kernel_core_pattern:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_etc_sysctld_kernel_core_pattern:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/sysctl.d | ^.*\.conf$ | ^[\s]*kernel.core_pattern[\s]*=[\s]*|/bin/false[\s]*$ | 1 |
kernel.core_pattern static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_run_sysctld_kernel_core_pattern:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_run_sysctld_kernel_core_pattern:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /run/sysctl.d | ^.*\.conf$ | ^[\s]*kernel.core_pattern[\s]*=[\s]*|/bin/false[\s]*$ | 1 |
kernel.core_pattern static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_usr_lib_sysctld_kernel_core_pattern:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /usr/lib/sysctl.d/50-coredump.conf | kernel.core_pattern= |
kernel runtime parameter kernel.core_pattern set to |/bin/false
oval:ssg-test_sysctl_runtime_kernel_core_pattern:tst:1
false
Following items have been found on the system:
| Name | Value |
|---|
| kernel.core_pattern | |/usr/lib/systemd/systemd-coredump %P %u %g %s %t %c %h |
Restrict Access to Kernel Message Bufferxccdf_org.ssgproject.content_rule_sysctl_kernel_dmesg_restrict medium
Restrict Access to Kernel Message Buffer
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_kernel_dmesg_restrict |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sysctl_kernel_dmesg_restrict:def:1 |
| Time | 2021-11-16T20:08:36+00:00 |
| Severity | medium |
| Identifiers and References | References:
BP28(R23), 3.1.5, CCI-001314, 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.310(b), 164.310(c), 164.312(a), 164.312(e), SI-11(a), SI-11(b), SRG-OS-000132-GPOS-00067, SRG-OS-000138-GPOS-00069 |
| Description | To set the runtime status of the kernel.dmesg_restrict kernel parameter, run the following command: $ sudo sysctl -w kernel.dmesg_restrict=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.dmesg_restrict = 1 |
| Rationale | Unprivileged access to the kernel syslog can expose sensitive kernel
address information. |
|
|
|
OVAL test results detailskernel.dmesg_restrict static configuration
oval:ssg-test_static_sysctl_kernel_dmesg_restrict:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_sysctl_kernel_dmesg_restrict:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/sysctl.conf | ^[\s]*kernel.dmesg_restrict[\s]*=[\s]*1[\s]*$ | 1 |
kernel.dmesg_restrict static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_etc_sysctld_kernel_dmesg_restrict:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_etc_sysctld_kernel_dmesg_restrict:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/sysctl.d | ^.*\.conf$ | ^[\s]*kernel.dmesg_restrict[\s]*=[\s]*1[\s]*$ | 1 |
kernel.dmesg_restrict static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_run_sysctld_kernel_dmesg_restrict:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_run_sysctld_kernel_dmesg_restrict:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /run/sysctl.d | ^.*\.conf$ | ^[\s]*kernel.dmesg_restrict[\s]*=[\s]*1[\s]*$ | 1 |
kernel.dmesg_restrict static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_usr_lib_sysctld_kernel_dmesg_restrict:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_kernel_dmesg_restrict:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /usr/lib/sysctl.d | ^.*\.conf$ | ^[\s]*kernel.dmesg_restrict[\s]*=[\s]*1[\s]*$ | 1 |
kernel runtime parameter kernel.dmesg_restrict set to 1
oval:ssg-test_sysctl_runtime_kernel_dmesg_restrict:tst:1
false
Following items have been found on the system:
| Name | Value |
|---|
| kernel.dmesg_restrict | 0 |
Disable Kernel Image Loadingxccdf_org.ssgproject.content_rule_sysctl_kernel_kexec_load_disabled medium
Disable Kernel Image Loading
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_kernel_kexec_load_disabled |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sysctl_kernel_kexec_load_disabled:def:1 |
| Time | 2021-11-16T20:08:36+00:00 |
| Severity | medium |
| Identifiers and References | References:
CCI-001749, SRG-OS-000480-GPOS-00227, SRG-OS-000366-GPOS-00153 |
| Description | To set the runtime status of the kernel.kexec_load_disabled kernel parameter, run the following command: $ sudo sysctl -w kernel.kexec_load_disabled=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.kexec_load_disabled = 1 |
| Rationale | Disabling kexec_load allows greater control of the kernel memory.
It makes it impossible to load another kernel image after it has been disabled.
|
|
|
|
OVAL test results detailskernel.kexec_load_disabled static configuration
oval:ssg-test_static_sysctl_kernel_kexec_load_disabled:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_sysctl_kernel_kexec_load_disabled:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/sysctl.conf | ^[\s]*kernel.kexec_load_disabled[\s]*=[\s]*1[\s]*$ | 1 |
kernel.kexec_load_disabled static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_etc_sysctld_kernel_kexec_load_disabled:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_etc_sysctld_kernel_kexec_load_disabled:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/sysctl.d | ^.*\.conf$ | ^[\s]*kernel.kexec_load_disabled[\s]*=[\s]*1[\s]*$ | 1 |
kernel.kexec_load_disabled static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_run_sysctld_kernel_kexec_load_disabled:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_run_sysctld_kernel_kexec_load_disabled:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /run/sysctl.d | ^.*\.conf$ | ^[\s]*kernel.kexec_load_disabled[\s]*=[\s]*1[\s]*$ | 1 |
kernel.kexec_load_disabled static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_usr_lib_sysctld_kernel_kexec_load_disabled:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_kernel_kexec_load_disabled:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /usr/lib/sysctl.d | ^.*\.conf$ | ^[\s]*kernel.kexec_load_disabled[\s]*=[\s]*1[\s]*$ | 1 |
kernel runtime parameter kernel.kexec_load_disabled set to 1
oval:ssg-test_sysctl_runtime_kernel_kexec_load_disabled:tst:1
false
Following items have been found on the system:
| Name | Value |
|---|
| kernel.kexec_load_disabled | 0 |
Disallow kernel profiling by unprivileged usersxccdf_org.ssgproject.content_rule_sysctl_kernel_perf_event_paranoid medium
Disallow kernel profiling by unprivileged users
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_kernel_perf_event_paranoid |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sysctl_kernel_perf_event_paranoid:def:1 |
| Time | 2021-11-16T20:08:36+00:00 |
| Severity | medium |
| Identifiers and References | References:
BP28(R23), CCI-001090, FMT_SMF_EXT.1, SRG-OS-000132-GPOS-00067, SRG-OS-000138-GPOS-00069 |
| Description | To set the runtime status of the kernel.perf_event_paranoid kernel parameter, run the following command: $ sudo sysctl -w kernel.perf_event_paranoid=2
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.perf_event_paranoid = 2 |
| Rationale | Kernel profiling can reveal sensitive information about kernel behaviour. |
|
|
|
OVAL test results detailskernel.perf_event_paranoid static configuration
oval:ssg-test_static_sysctl_kernel_perf_event_paranoid:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_sysctl_kernel_perf_event_paranoid:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/sysctl.conf | ^[\s]*kernel.perf_event_paranoid[\s]*=[\s]*2[\s]*$ | 1 |
kernel.perf_event_paranoid static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_etc_sysctld_kernel_perf_event_paranoid:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_etc_sysctld_kernel_perf_event_paranoid:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/sysctl.d | ^.*\.conf$ | ^[\s]*kernel.perf_event_paranoid[\s]*=[\s]*2[\s]*$ | 1 |
kernel.perf_event_paranoid static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_run_sysctld_kernel_perf_event_paranoid:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_run_sysctld_kernel_perf_event_paranoid:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /run/sysctl.d | ^.*\.conf$ | ^[\s]*kernel.perf_event_paranoid[\s]*=[\s]*2[\s]*$ | 1 |
kernel.perf_event_paranoid static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_usr_lib_sysctld_kernel_perf_event_paranoid:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_kernel_perf_event_paranoid:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /usr/lib/sysctl.d | ^.*\.conf$ | ^[\s]*kernel.perf_event_paranoid[\s]*=[\s]*2[\s]*$ | 1 |
kernel runtime parameter kernel.perf_event_paranoid set to 2
oval:ssg-test_sysctl_runtime_kernel_perf_event_paranoid:tst:1
true
Following items have been found on the system:
| Name | Value |
|---|
| kernel.perf_event_paranoid | 2 |
Disable Access to Network bpf() Syscall From Unprivileged Processesxccdf_org.ssgproject.content_rule_sysctl_kernel_unprivileged_bpf_disabled medium
Disable Access to Network bpf() Syscall From Unprivileged Processes
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_kernel_unprivileged_bpf_disabled |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sysctl_kernel_unprivileged_bpf_disabled:def:1 |
| Time | 2021-11-16T20:08:36+00:00 |
| Severity | medium |
| Identifiers and References | References:
CCI-000366, FMT_SMF_EXT.1, SRG-OS-000132-GPOS-00067, SRG-OS-000480-GPOS-00227 |
| Description | To set the runtime status of the kernel.unprivileged_bpf_disabled kernel parameter, run the following command: $ sudo sysctl -w kernel.unprivileged_bpf_disabled=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.unprivileged_bpf_disabled = 1 |
| Rationale | Loading and accessing the packet filters programs and maps using the bpf()
syscall has the potential of revealing sensitive information about the kernel state. |
|
|
|
OVAL test results detailskernel.unprivileged_bpf_disabled static configuration
oval:ssg-test_static_sysctl_kernel_unprivileged_bpf_disabled:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_sysctl_kernel_unprivileged_bpf_disabled:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/sysctl.conf | ^[\s]*kernel.unprivileged_bpf_disabled[\s]*=[\s]*1[\s]*$ | 1 |
kernel.unprivileged_bpf_disabled static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_etc_sysctld_kernel_unprivileged_bpf_disabled:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_etc_sysctld_kernel_unprivileged_bpf_disabled:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/sysctl.d | ^.*\.conf$ | ^[\s]*kernel.unprivileged_bpf_disabled[\s]*=[\s]*1[\s]*$ | 1 |
kernel.unprivileged_bpf_disabled static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_run_sysctld_kernel_unprivileged_bpf_disabled:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_run_sysctld_kernel_unprivileged_bpf_disabled:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /run/sysctl.d | ^.*\.conf$ | ^[\s]*kernel.unprivileged_bpf_disabled[\s]*=[\s]*1[\s]*$ | 1 |
kernel.unprivileged_bpf_disabled static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_usr_lib_sysctld_kernel_unprivileged_bpf_disabled:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_kernel_unprivileged_bpf_disabled:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /usr/lib/sysctl.d | ^.*\.conf$ | ^[\s]*kernel.unprivileged_bpf_disabled[\s]*=[\s]*1[\s]*$ | 1 |
kernel runtime parameter kernel.unprivileged_bpf_disabled set to 1
oval:ssg-test_sysctl_runtime_kernel_unprivileged_bpf_disabled:tst:1
false
Following items have been found on the system:
| Name | Value |
|---|
| kernel.unprivileged_bpf_disabled | 2 |
Restrict usage of ptrace to descendant processesxccdf_org.ssgproject.content_rule_sysctl_kernel_yama_ptrace_scope medium
Restrict usage of ptrace to descendant processes
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_kernel_yama_ptrace_scope |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sysctl_kernel_yama_ptrace_scope:def:1 |
| Time | 2021-11-16T20:08:36+00:00 |
| Severity | medium |
| Identifiers and References | References:
BP28(R25), CCI-000366, SRG-OS-000132-GPOS-00067, SRG-OS-000480-GPOS-00227 |
| Description | To set the runtime status of the kernel.yama.ptrace_scope kernel parameter, run the following command: $ sudo sysctl -w kernel.yama.ptrace_scope=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.yama.ptrace_scope = 1 |
| Rationale | Unrestricted usage of ptrace allows compromised binaries to run ptrace
on another processes of the user. Like this, the attacker can steal
sensitive information from the target processes (e.g. SSH sessions, web browser, ...)
without any additional assistance from the user (i.e. without resorting to phishing).
|
|
|
|
OVAL test results detailskernel.yama.ptrace_scope static configuration
oval:ssg-test_static_sysctl_kernel_yama_ptrace_scope:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_sysctl_kernel_yama_ptrace_scope:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/sysctl.conf | ^[\s]*kernel.yama.ptrace_scope[\s]*=[\s]*1[\s]*$ | 1 |
kernel.yama.ptrace_scope static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_etc_sysctld_kernel_yama_ptrace_scope:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_etc_sysctld_kernel_yama_ptrace_scope:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/sysctl.d | ^.*\.conf$ | ^[\s]*kernel.yama.ptrace_scope[\s]*=[\s]*1[\s]*$ | 1 |
kernel.yama.ptrace_scope static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_run_sysctld_kernel_yama_ptrace_scope:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_run_sysctld_kernel_yama_ptrace_scope:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /run/sysctl.d | ^.*\.conf$ | ^[\s]*kernel.yama.ptrace_scope[\s]*=[\s]*1[\s]*$ | 1 |
kernel.yama.ptrace_scope static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_usr_lib_sysctld_kernel_yama_ptrace_scope:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_kernel_yama_ptrace_scope:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /usr/lib/sysctl.d | ^.*\.conf$ | ^[\s]*kernel.yama.ptrace_scope[\s]*=[\s]*1[\s]*$ | 1 |
kernel runtime parameter kernel.yama.ptrace_scope set to 1
oval:ssg-test_sysctl_runtime_kernel_yama_ptrace_scope:tst:1
false
Following items have been found on the system:
| Name | Value |
|---|
| kernel.yama.ptrace_scope | 0 |
Harden the operation of the BPF just-in-time compilerxccdf_org.ssgproject.content_rule_sysctl_net_core_bpf_jit_harden medium
Harden the operation of the BPF just-in-time compiler
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_core_bpf_jit_harden |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sysctl_net_core_bpf_jit_harden:def:1 |
| Time | 2021-11-16T20:08:36+00:00 |
| Severity | medium |
| Identifiers and References | References:
CCI-000366, CM-6b, FMT_SMF_EXT.1, SRG-OS-000480-GPOS-00227 |
| Description | To set the runtime status of the net.core.bpf_jit_harden kernel parameter, run the following command: $ sudo sysctl -w net.core.bpf_jit_harden=2
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.core.bpf_jit_harden = 2 |
| Rationale | When hardened, the extended Berkeley Packet Filter just-in-time compiler
will randomize any kernel addresses in the BPF programs and maps,
and will not expose the JIT addresses in /proc/kallsyms. |
|
|
|
OVAL test results detailsnet.core.bpf_jit_harden static configuration
oval:ssg-test_static_sysctl_net_core_bpf_jit_harden:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_sysctl_net_core_bpf_jit_harden:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/sysctl.conf | ^[\s]*net.core.bpf_jit_harden[\s]*=[\s]*2[\s]*$ | 1 |
net.core.bpf_jit_harden static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_etc_sysctld_net_core_bpf_jit_harden:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_etc_sysctld_net_core_bpf_jit_harden:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/sysctl.d | ^.*\.conf$ | ^[\s]*net.core.bpf_jit_harden[\s]*=[\s]*2[\s]*$ | 1 |
net.core.bpf_jit_harden static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_run_sysctld_net_core_bpf_jit_harden:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_run_sysctld_net_core_bpf_jit_harden:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /run/sysctl.d | ^.*\.conf$ | ^[\s]*net.core.bpf_jit_harden[\s]*=[\s]*2[\s]*$ | 1 |
net.core.bpf_jit_harden static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_usr_lib_sysctld_net_core_bpf_jit_harden:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_net_core_bpf_jit_harden:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /usr/lib/sysctl.d | ^.*\.conf$ | ^[\s]*net.core.bpf_jit_harden[\s]*=[\s]*2[\s]*$ | 1 |
kernel runtime parameter net.core.bpf_jit_harden set to 2
oval:ssg-test_sysctl_runtime_net_core_bpf_jit_harden:tst:1
error
Following items have been found on the system:
Disable the use of user namespacesxccdf_org.ssgproject.content_rule_sysctl_user_max_user_namespaces low
Disable the use of user namespaces
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_user_max_user_namespaces |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sysctl_user_max_user_namespaces:def:1 |
| Time | 2021-11-16T20:08:36+00:00 |
| Severity | low |
| Identifiers and References | References:
CCI-000366, SC-39, CM-6(a), FMT_SMF_EXT.1, SRG-OS-000480-GPOS-00227 |
| Description | To set the runtime status of the user.max_user_namespaces kernel parameter,
run the following command:
$ sudo sysctl -w user.max_user_namespaces=0
To make sure that the setting is persistent,
add the following line to a file in the directory /etc/sysctl.d:
user.max_user_namespaces = 0
When containers are deployed on the machine, the value should be set
to large non-zero value. |
| Rationale | User namespaces are used primarily for Linux containers. The value 0
disallows the use of user namespaces. |
| Warnings | warning
This configuration baseline was created to deploy the base operating system for general purpose
workloads. When the operating system is configured for certain purposes, such as to host Linux Containers,
it is expected that user.max_user_namespaces will be enabled. |
|
|
|
OVAL test results detailsuser.max_user_namespaces static configuration
oval:ssg-test_static_sysctl_user_max_user_namespaces:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_sysctl_user_max_user_namespaces:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/sysctl.conf | ^[\s]*user.max_user_namespaces[\s]*=[\s]*0[\s]*$ | 1 |
user.max_user_namespaces static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_etc_sysctld_user_max_user_namespaces:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_etc_sysctld_user_max_user_namespaces:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/sysctl.d | ^.*\.conf$ | ^[\s]*user.max_user_namespaces[\s]*=[\s]*0[\s]*$ | 1 |
user.max_user_namespaces static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_run_sysctld_user_max_user_namespaces:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_run_sysctld_user_max_user_namespaces:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /run/sysctl.d | ^.*\.conf$ | ^[\s]*user.max_user_namespaces[\s]*=[\s]*0[\s]*$ | 1 |
user.max_user_namespaces static configuration in /etc/sysctl.d/*.conf
oval:ssg-test_static_usr_lib_sysctld_user_max_user_namespaces:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_usr_lib_sysctld_user_max_user_namespaces:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /usr/lib/sysctl.d | ^.*\.conf$ | ^[\s]*user.max_user_namespaces[\s]*=[\s]*0[\s]*$ | 1 |
kernel runtime parameter user.max_user_namespaces set to 0
oval:ssg-test_sysctl_runtime_user_max_user_namespaces:tst:1
false
Following items have been found on the system:
| Name | Value |
|---|
| user.max_user_namespaces | 1694 |
Ensure No Device Files are Unlabeled by SELinuxxccdf_org.ssgproject.content_rule_selinux_all_devicefiles_labeled medium
Ensure No Device Files are Unlabeled by SELinux
| Rule ID | xccdf_org.ssgproject.content_rule_selinux_all_devicefiles_labeled |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-selinux_all_devicefiles_labeled:def:1 |
| Time | 2021-11-16T20:08:36+00:00 |
| Severity | medium |
| Identifiers and References | References:
1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 5, 6, 7, 8, 9, APO01.06, APO11.04, BAI01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06, MEA02.01, 3.1.2, 3.1.5, 3.7.2, CCI-000022, CCI-000032, CCI-000318, CCI-000366, CCI-000368, CCI-001812, CCI-001813, CCI-001814, 4.3.3.3.9, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 2.8, SR 2.9, SR 5.2, SR 6.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-7(a), CM-7(b), CM-6(a), AC-3(3)(a), AC-6, DE.CM-1, DE.CM-7, PR.AC-4, PR.DS-5, PR.IP-1, PR.IP-3, PR.PT-1, PR.PT-3, SRG-OS-000480-GPOS-00227 |
| Description | Device files, which are used for communication with important system
resources, should be labeled with proper SELinux types. If any device files
carry the SELinux type device_t or unlabeled_t, report the
bug so that policy can be corrected. Supply information about what the
device is and what programs use it.
To check for incorrectly labeled device files, run following commands:
$ sudo find /dev -context *:device_t:* \( -type c -o -type b \) -printf "%p %Z\n"
$ sudo find /dev -context *:unlabeled_t:* \( -type c -o -type b \) -printf "%p %Z\n"
It should produce no output in a well-configured system. |
| Rationale | If a device file carries the SELinux type device_t or
unlabeled_t, then SELinux cannot properly restrict access to the
device file. |
| Warnings | warning
Automatic remediation of this control is not available. The remediation
can be achieved by amending SELinux policy. |
OVAL test results detailsdevice_t in /dev
oval:ssg-test_selinux_dev_device_t:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_selinux_dev_device_t:obj:1 of type
selinuxsecuritycontext_object
| Filepath | Filter |
|---|
| /dev/vcs4 | | /dev/vcsa3 | | /dev/vcsu3 | | /dev/vcs3 | | /dev/vcsa2 | | /dev/vcsu2 | | /dev/vcs2 | | /dev/vcsa6 | | /dev/vcsu6 | | /dev/vcs6 | | /dev/vhost-vsock | | /dev/vhost-net | | /dev/vfio/vfio | | /dev/uinput | | /dev/net/tun | | /dev/vboxguest | | /dev/input/event1 | | /dev/loop-control | | /dev/fuse | | /dev/sda5 | | /dev/sda4 | | /dev/sda3 | | /dev/sda2 | | /dev/sda1 | | /dev/sda | | /dev/bsg/0:0:0:0 | | /dev/sg0 | | /dev/btrfs-control | | /dev/cpu_dma_latency | | /dev/mcelog | | /dev/mapper/control | | /dev/rtc0 | | /dev/udmabuf | | /dev/hwrng | | /dev/nvram | | /dev/hpet | | /dev/ttyS31 | | /dev/ttyS30 | | /dev/ttyS29 | | /dev/ttyS28 | | /dev/ttyS27 | | /dev/ttyS26 | | /dev/ttyS25 | | /dev/ttyS24 | | /dev/ttyS23 | | /dev/ttyS22 | | /dev/ttyS21 | | /dev/ttyS20 | | /dev/ttyS19 | | /dev/ttyS18 | | /dev/ttyS17 | | /dev/ttyS16 | | /dev/ttyS15 | | /dev/ttyS14 | | /dev/ttyS13 | | /dev/ttyS12 | | /dev/ttyS11 | | /dev/ttyS10 | | /dev/ttyS9 | | /dev/ttyS8 | | /dev/ttyS7 | | /dev/ttyS6 | | /dev/ttyS5 | | /dev/ttyS4 | | /dev/ttyS3 | | /dev/ttyS2 | | /dev/ttyS1 | | /dev/ttyS0 | | /dev/ptmx | | /dev/autofs | | /dev/snapshot | | /dev/tty63 | | /dev/tty62 | | /dev/tty61 | | /dev/tty60 | | /dev/tty59 | | /dev/tty58 | | /dev/tty57 | | /dev/tty56 | | /dev/fb0 | | /dev/tty55 | | /dev/tty54 | | /dev/tty53 | | /dev/tty52 | | /dev/tty51 | | /dev/tty50 | | /dev/tty49 | | /dev/tty48 | | /dev/tty47 | | /dev/tty46 | | /dev/tty45 | | /dev/tty44 | | /dev/tty43 | | /dev/tty42 | | /dev/tty41 | | /dev/tty40 | | /dev/tty39 | | /dev/tty38 | | /dev/tty37 | | /dev/tty36 | | /dev/tty35 | | /dev/tty34 | | /dev/tty33 | | /dev/tty32 | | /dev/tty31 | | /dev/tty30 | | /dev/tty29 | | /dev/tty28 | | /dev/tty27 | | /dev/tty26 | | /dev/tty25 | | /dev/tty24 | | /dev/tty23 | | /dev/tty22 | | /dev/tty21 | | /dev/tty20 | | /dev/tty19 | | /dev/tty18 | | /dev/tty17 | | /dev/tty16 | | /dev/tty15 | | /dev/tty14 | | /dev/tty13 | | /dev/tty12 | | /dev/tty11 | | /dev/tty10 | | /dev/tty9 | | /dev/tty8 | | /dev/tty7 | | /dev/tty6 | | /dev/tty5 | | /dev/tty4 | | /dev/tty3 | | /dev/tty2 | | /dev/tty1 | | /dev/vcsa1 | | /dev/vcsu1 | | /dev/vcs1 | | /dev/vcsa | | /dev/vcsu | | /dev/vcs | | /dev/tty0 | | /dev/console | | /dev/tty | | /dev/kmsg | | /dev/urandom | | /dev/random | | /dev/full | | /dev/zero | | /dev/port | | /dev/null | | /dev/mem | | /dev/vga_arbiter | | /dev/dri/card0 | | /dev/vcsa5 | | /dev/vcsu5 | | /dev/vcs5 | | /dev/vcsa4 | | /dev/vcsu4 | | /dev/zram0 | | /dev/vboxuser | | /dev/pts/0 | | /dev/pts/ptmx | | /dev/uhid | | /dev/cpu/0/cpuid | | /dev/dma_heap/system | | /dev/input/js0 | | /dev/input/event5 | | /dev/input/event4 | | /dev/input/mouse1 | | /dev/input/event3 | | /dev/input/mouse0 | | /dev/input/event2 | | /dev/input/event0 | | /dev/input/mice | | /dev/usbmon0 | | /dev/cpu/0/msr |
| oval:ssg-state_selinux_dev_device_t:ste:1 |
unlabeled_t in /dev
oval:ssg-test_selinux_dev_unlabeled_t:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_selinux_dev_unlabeled_t:obj:1 of type
selinuxsecuritycontext_object
| Filepath | Filter |
|---|
| /dev/vcs4 | | /dev/vcsa3 | | /dev/vcsu3 | | /dev/vcs3 | | /dev/vcsa2 | | /dev/vcsu2 | | /dev/vcs2 | | /dev/vcsa6 | | /dev/vcsu6 | | /dev/vcs6 | | /dev/vhost-vsock | | /dev/vhost-net | | /dev/vfio/vfio | | /dev/uinput | | /dev/net/tun | | /dev/vboxguest | | /dev/input/event1 | | /dev/loop-control | | /dev/fuse | | /dev/sda5 | | /dev/sda4 | | /dev/sda3 | | /dev/sda2 | | /dev/sda1 | | /dev/sda | | /dev/bsg/0:0:0:0 | | /dev/sg0 | | /dev/btrfs-control | | /dev/cpu_dma_latency | | /dev/mcelog | | /dev/mapper/control | | /dev/rtc0 | | /dev/udmabuf | | /dev/hwrng | | /dev/nvram | | /dev/hpet | | /dev/ttyS31 | | /dev/ttyS30 | | /dev/ttyS29 | | /dev/ttyS28 | | /dev/ttyS27 | | /dev/ttyS26 | | /dev/ttyS25 | | /dev/ttyS24 | | /dev/ttyS23 | | /dev/ttyS22 | | /dev/ttyS21 | | /dev/ttyS20 | | /dev/ttyS19 | | /dev/ttyS18 | | /dev/ttyS17 | | /dev/ttyS16 | | /dev/ttyS15 | | /dev/ttyS14 | | /dev/ttyS13 | | /dev/ttyS12 | | /dev/ttyS11 | | /dev/ttyS10 | | /dev/ttyS9 | | /dev/ttyS8 | | /dev/ttyS7 | | /dev/ttyS6 | | /dev/ttyS5 | | /dev/ttyS4 | | /dev/ttyS3 | | /dev/ttyS2 | | /dev/ttyS1 | | /dev/ttyS0 | | /dev/ptmx | | /dev/autofs | | /dev/snapshot | | /dev/tty63 | | /dev/tty62 | | /dev/tty61 | | /dev/tty60 | | /dev/tty59 | | /dev/tty58 | | /dev/tty57 | | /dev/tty56 | | /dev/fb0 | | /dev/tty55 | | /dev/tty54 | | /dev/tty53 | | /dev/tty52 | | /dev/tty51 | | /dev/tty50 | | /dev/tty49 | | /dev/tty48 | | /dev/tty47 | | /dev/tty46 | | /dev/tty45 | | /dev/tty44 | | /dev/tty43 | | /dev/tty42 | | /dev/tty41 | | /dev/tty40 | | /dev/tty39 | | /dev/tty38 | | /dev/tty37 | | /dev/tty36 | | /dev/tty35 | | /dev/tty34 | | /dev/tty33 | | /dev/tty32 | | /dev/tty31 | | /dev/tty30 | | /dev/tty29 | | /dev/tty28 | | /dev/tty27 | | /dev/tty26 | | /dev/tty25 | | /dev/tty24 | | /dev/tty23 | | /dev/tty22 | | /dev/tty21 | | /dev/tty20 | | /dev/tty19 | | /dev/tty18 | | /dev/tty17 | | /dev/tty16 | | /dev/tty15 | | /dev/tty14 | | /dev/tty13 | | /dev/tty12 | | /dev/tty11 | | /dev/tty10 | | /dev/tty9 | | /dev/tty8 | | /dev/tty7 | | /dev/tty6 | | /dev/tty5 | | /dev/tty4 | | /dev/tty3 | | /dev/tty2 | | /dev/tty1 | | /dev/vcsa1 | | /dev/vcsu1 | | /dev/vcs1 | | /dev/vcsa | | /dev/vcsu | | /dev/vcs | | /dev/tty0 | | /dev/console | | /dev/tty | | /dev/kmsg | | /dev/urandom | | /dev/random | | /dev/full | | /dev/zero | | /dev/port | | /dev/null | | /dev/mem | | /dev/vga_arbiter | | /dev/dri/card0 | | /dev/vcsa5 | | /dev/vcsu5 | | /dev/vcs5 | | /dev/vcsa4 | | /dev/vcsu4 | | /dev/zram0 | | /dev/vboxuser | | /dev/pts/0 | | /dev/pts/ptmx | | /dev/uhid | | /dev/cpu/0/cpuid | | /dev/dma_heap/system | | /dev/input/js0 | | /dev/input/event5 | | /dev/input/event4 | | /dev/input/mouse1 | | /dev/input/event3 | | /dev/input/mouse0 | | /dev/input/event2 | | /dev/input/event0 | | /dev/input/mice | | /dev/usbmon0 | | /dev/cpu/0/msr |
| oval:ssg-state_selinux_dev_unlabeled_t:ste:1 |
Ensure No Daemons are Unconfined by SELinuxxccdf_org.ssgproject.content_rule_selinux_confinement_of_daemons medium
Ensure No Daemons are Unconfined by SELinux
| Rule ID | xccdf_org.ssgproject.content_rule_selinux_confinement_of_daemons |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-selinux_confinement_of_daemons:def:1 |
| Time | 2021-11-16T20:08:36+00:00 |
| Severity | medium |
| Identifiers and References | References:
1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06, MEA02.01, 3.1.2, 3.1.5, 3.7.2, 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.310(b), 164.310(c), 164.312(a), 164.312(e), 4.3.3.3.9, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-3 R5.1.1, CIP-003-3 R5.3, CIP-004-3 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-3(3)(a), AC-6, PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, PR.PT-3 |
| Description | Daemons for which the SELinux policy does not contain rules will inherit the
context of the parent process. Because daemons are launched during
startup and descend from the init process, they inherit the unconfined_service_t context.
To check for unconfined daemons, run the following command:
$ sudo ps -eZ | grep "unconfined_service_t"
It should produce no output in a well-configured system. |
| Rationale | Daemons which run with the unconfined_service_t context may cause AVC denials,
or allow privileges that the daemon does not require. |
| Warnings | warning
Automatic remediation of this control is not available. Remediation
can be achieved by amending SELinux policy or stopping the unconfined
daemons as outlined above. |
OVAL test results detailsnone satisfy unconfined_service_t in /proc
oval:ssg-test_selinux_confinement_of_daemons:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-object_selinux_confinement_of_daemons:obj:1 of type
selinuxsecuritycontext_object
| Behaviors | Path | Filename | Filter |
|---|
| no value | /proc | ^.*$ | oval:ssg-state_selinux_confinement_of_daemons:ste:1 |
Configure SELinux Policyxccdf_org.ssgproject.content_rule_selinux_policytype medium
Configure SELinux Policy
| Rule ID | xccdf_org.ssgproject.content_rule_selinux_policytype |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-selinux_policytype:def:1 |
| Time | 2021-11-16T20:08:36+00:00 |
| Severity | medium |
| Identifiers and References | References:
BP28(R66), 1, 11, 12, 13, 14, 15, 16, 18, 3, 4, 5, 6, 8, 9, APO01.06, APO11.04, APO13.01, BAI03.05, DSS01.05, DSS03.01, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.03, DSS06.06, MEA02.01, 3.1.2, 3.7.2, CCI-002165, CCI-002696, 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.310(b), 164.310(c), 164.312(a), 164.312(e), 4.2.3.4, 4.3.3.2.2, 4.3.3.3.9, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-3 R5.1.1, CIP-003-3 R5.2, CIP-003-3 R5.3, CIP-004-3 R2.2.3, CIP-004-3 R2.3, CIP-004-3 R3.3, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, CIP-007-3 R6.5, AC-3, AC-3(3)(a), AU-9, SC-7(21), DE.AE-1, ID.AM-3, PR.AC-4, PR.AC-5, PR.AC-6, PR.DS-5, PR.PT-1, PR.PT-3, PR.PT-4, SRG-OS-000445-GPOS-00199, SRG-OS-000445-VMM-001780 |
| Description | The SELinux targeted policy is appropriate for
general-purpose desktops and servers, as well as systems in many other roles.
To configure the system to use this policy, add or correct the following line
in /etc/selinux/config:
SELINUXTYPE=targeted
Other policies, such as mls, provide additional security labeling
and greater confinement but are not compatible with many general-purpose
use cases. |
| Rationale | Setting the SELinux policy to targeted or a more specialized policy
ensures the system will confine processes that are likely to be
targeted for exploitation, such as network or system services.
Note: During the development or debugging of SELinux modules, it is common to
temporarily place non-production systems in permissive mode. In such
temporary cases, SELinux policies should be developed, and once work
is completed, the system should be reconfigured to
targeted. |
OVAL test results detailsTests the value of the ^[\s]*SELINUXTYPE[\s]*=[\s]*([^#]*) expression in the /etc/selinux/config file
oval:ssg-test_selinux_policy:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/selinux/config | SELINUXTYPE=targeted
|
Ensure SELinux State is Enforcingxccdf_org.ssgproject.content_rule_selinux_state medium
Ensure SELinux State is Enforcing
| Rule ID | xccdf_org.ssgproject.content_rule_selinux_state |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-selinux_state:def:1 |
| Time | 2021-11-16T20:08:36+00:00 |
| Severity | medium |
| Identifiers and References | References:
BP28(R4), BP28(R66), 1, 11, 12, 13, 14, 15, 16, 18, 3, 4, 5, 6, 8, 9, APO01.06, APO11.04, APO13.01, BAI03.05, DSS01.05, DSS03.01, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.03, DSS06.06, MEA02.01, 3.1.2, 3.7.2, CCI-002165, CCI-002696, 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.310(b), 164.310(c), 164.312(a), 164.312(e), 4.2.3.4, 4.3.3.2.2, 4.3.3.3.9, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-3 R5.1.1, CIP-003-3 R5.2, CIP-003-3 R5.3, CIP-004-3 R2.2.3, CIP-004-3 R2.3, CIP-004-3 R3.3, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, CIP-007-3 R6.5, AC-3, AC-3(3)(a), AU-9, SC-7(21), DE.AE-1, ID.AM-3, PR.AC-4, PR.AC-5, PR.AC-6, PR.DS-5, PR.PT-1, PR.PT-3, PR.PT-4, SRG-OS-000445-GPOS-00199, SRG-OS-000445-VMM-001780 |
| Description | The SELinux state should be set to enforcing at
system boot time. In the file /etc/selinux/config, add or correct the
following line to configure the system to boot into enforcing mode:
SELINUX=enforcing |
| Rationale | Setting the SELinux state to enforcing ensures SELinux is able to confine
potentially compromised processes to the security policy, which is designed to
prevent them from causing damage to the system or further elevating their
privileges. |
OVAL test results details/selinux/enforce is 1
oval:ssg-test_etc_selinux_config:tst:1
true
Following items have been found on the system:
| Path | Content |
|---|
| /etc/selinux/config | SELINUX=enforcing |
Uninstall Automatic Bug Reporting Tool (abrt)xccdf_org.ssgproject.content_rule_package_abrt_removed medium
Uninstall Automatic Bug Reporting Tool (abrt)
| Rule ID | xccdf_org.ssgproject.content_rule_package_abrt_removed |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-package_abrt_removed:def:1 |
| Time | 2021-11-16T20:08:36+00:00 |
| Severity | medium |
| Identifiers and References | References:
CCI-000381, SRG-OS-000095-GPOS-00049 |
| Description | The Automatic Bug Reporting Tool ( abrt) collects
and reports crash data when an application crash is detected. Using a variety
of plugins, abrt can email crash reports to system administrators, log crash
reports to files, or forward crash reports to a centralized issue tracking
system such as RHTSupport.
The abrt package can be removed with the following command:
$ sudo dnf erase abrt |
| Rationale | Mishandling crash data could expose sensitive information about
vulnerabilities in software executing on the system, as well as sensitive
information from within a process's address space or registers. |
OVAL test results detailspackage abrt is removed
oval:ssg-test_package_abrt_removed:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_abrt_removed:obj:1 of type
rpminfo_object
Install fapolicyd Packagexccdf_org.ssgproject.content_rule_package_fapolicyd_installed medium
Install fapolicyd Package
| Rule ID | xccdf_org.ssgproject.content_rule_package_fapolicyd_installed |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-package_fapolicyd_installed:def:1 |
| Time | 2021-11-16T20:08:36+00:00 |
| Severity | medium |
| Identifiers and References | References:
CCI-001764, CM-6(a), SI-4(22), SRG-OS-000370-GPOS-00155, SRG-OS-000368-GPOS-00154 |
| Description | The fapolicyd package can be installed with the following command:
$ sudo dnf install fapolicyd |
| Rationale | fapolicyd (File Access Policy Daemon)
implements application whitelisting to decide file access rights.
|
|
|
|
|
|
OVAL test results detailspackage fapolicyd is installed
oval:ssg-test_package_fapolicyd_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_fapolicyd_installed:obj:1 of type
rpminfo_object
Uninstall Sendmail Packagexccdf_org.ssgproject.content_rule_package_sendmail_removed medium
Uninstall Sendmail Package
| Rule ID | xccdf_org.ssgproject.content_rule_package_sendmail_removed |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-package_sendmail_removed:def:1 |
| Time | 2021-11-16T20:08:36+00:00 |
| Severity | medium |
| Identifiers and References | References:
BP28(R1), 11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, CCI-000381, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.IP-1, PR.PT-3, SRG-OS-000480-GPOS-00227, SRG-OS-000095-GPOS-00049 |
| Description | Sendmail is not the default mail transfer agent and is
not installed by default.
The sendmail package can be removed with the following command:
$ sudo dnf erase sendmail |
| Rationale | The sendmail software was not developed with security in mind and
its design prevents it from being effectively contained by SELinux. Postfix
should be used instead. |
OVAL test results detailspackage sendmail is removed
oval:ssg-test_package_sendmail_removed:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_sendmail_removed:obj:1 of type
rpminfo_object
Disable chrony daemon from acting as serverxccdf_org.ssgproject.content_rule_chronyd_client_only low
Disable chrony daemon from acting as server
| Rule ID | xccdf_org.ssgproject.content_rule_chronyd_client_only |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-chronyd_client_only:def:1 |
| Time | 2021-11-16T20:08:36+00:00 |
| Severity | low |
| Identifiers and References | References:
CCI-000381, FMT_SMF_EXT.1, SRG-OS-000096-GPOS-00050, SRG-OS-000095-GPOS-00049 |
| Description | The port option in /etc/chrony.conf can be set to
0 to make chrony daemon to never open any listening port
for server operation and to operate strictly in a client-only mode. |
| Rationale | Minimizing the exposure of the server functionality of the chrony
daemon diminishes the attack surface. |
|
|
OVAL test results detailspackage chrony is installed
oval:ssg-test_service_chronyd_package_chrony_installed:tst:1
true
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| chrony | x86_64 | (none) | 3.fc35 | 4.1 | 0:4.1-3.fc35 | db4639719867c58f | chrony-0:4.1-3.fc35.x86_64 |
Test that the chronyd service is running
oval:ssg-test_service_running_chronyd:tst:1
true
Following items have been found on the system:
| Unit | Property | Value |
|---|
| chronyd.service | ActiveState | active |
systemd test
oval:ssg-test_multi_user_wants_chronyd:tst:1
true
Following items have been found on the system:
| Unit | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency |
|---|
| multi-user.target | basic.target | -.mount | sysinit.target | systemd-tmpfiles-setup-dev.service | sys-fs-fuse-connections.mount | proc-sys-fs-binfmt_misc.automount | selinux-autorelabel-mark.service | systemd-boot-system-token.service | cryptsetup.target | local-fs.target | boot-efi.mount | boot.mount | home.mount | tmp.mount | systemd-remount-fs.service | systemd-udev-trigger.service | systemd-sysctl.service | veritysetup.target | systemd-journald.service | kmod-static-nodes.service | ldconfig.service | systemd-sysusers.service | dracut-shutdown.service | systemd-update-done.service | systemd-journal-catalog-update.service | systemd-hwdb-update.service | swap.target | dev-zram0.swap | systemd-repart.service | systemd-binfmt.service | sys-kernel-config.mount | systemd-tmpfiles-setup.service | systemd-random-seed.service | import-state.service | systemd-udevd.service | systemd-journal-flush.service | sys-kernel-tracing.mount | systemd-machine-id-commit.service | systemd-modules-load.service | sys-kernel-debug.mount | systemd-update-utmp.service | systemd-firstboot.service | dev-hugepages.mount | dev-mqueue.mount | systemd-ask-password-console.path | slices.target | -.slice | system.slice | timers.target | dnf-makecache.timer | dnf-automatic.timer | systemd-tmpfiles-clean.timer | unbound-anchor.timer | fstrim.timer | paths.target | sockets.target | systemd-udevd-kernel.socket | systemd-coredump.socket | systemd-journald-dev-log.socket | systemd-journald.socket | sssd-kcm.socket | systemd-userdbd.socket | systemd-journald-audit.socket | dbus.socket | systemd-initctl.socket | systemd-udevd-control.socket | rpmdb-rebuild.service | systemd-logind.service | systemd-ask-password-wall.path | systemd-homed.service | chronyd.service | auditd.service | systemd-oomd.service | sssd.service | getty.target | getty@tty1.service | NetworkManager.service | remote-fs.target | systemd-update-utmp-runlevel.service | systemd-user-sessions.service | systemd-resolved.service | sshd.service |
systemd test
oval:ssg-test_multi_user_wants_chronyd_socket:tst:1
false
Following items have been found on the system:
| Unit | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency |
|---|
| multi-user.target | basic.target | -.mount | sysinit.target | systemd-tmpfiles-setup-dev.service | sys-fs-fuse-connections.mount | proc-sys-fs-binfmt_misc.automount | selinux-autorelabel-mark.service | systemd-boot-system-token.service | cryptsetup.target | local-fs.target | boot-efi.mount | boot.mount | home.mount | tmp.mount | systemd-remount-fs.service | systemd-udev-trigger.service | systemd-sysctl.service | veritysetup.target | systemd-journald.service | kmod-static-nodes.service | ldconfig.service | systemd-sysusers.service | dracut-shutdown.service | systemd-update-done.service | systemd-journal-catalog-update.service | systemd-hwdb-update.service | swap.target | dev-zram0.swap | systemd-repart.service | systemd-binfmt.service | sys-kernel-config.mount | systemd-tmpfiles-setup.service | systemd-random-seed.service | import-state.service | systemd-udevd.service | systemd-journal-flush.service | sys-kernel-tracing.mount | systemd-machine-id-commit.service | systemd-modules-load.service | sys-kernel-debug.mount | systemd-update-utmp.service | systemd-firstboot.service | dev-hugepages.mount | dev-mqueue.mount | systemd-ask-password-console.path | slices.target | -.slice | system.slice | timers.target | dnf-makecache.timer | dnf-automatic.timer | systemd-tmpfiles-clean.timer | unbound-anchor.timer | fstrim.timer | paths.target | sockets.target | systemd-udevd-kernel.socket | systemd-coredump.socket | systemd-journald-dev-log.socket | systemd-journald.socket | sssd-kcm.socket | systemd-userdbd.socket | systemd-journald-audit.socket | dbus.socket | systemd-initctl.socket | systemd-udevd-control.socket | rpmdb-rebuild.service | systemd-logind.service | systemd-ask-password-wall.path | systemd-homed.service | chronyd.service | auditd.service | systemd-oomd.service | sssd.service | getty.target | getty@tty1.service | NetworkManager.service | remote-fs.target | systemd-update-utmp-runlevel.service | systemd-user-sessions.service | systemd-resolved.service | sshd.service |
check if port is 0 in /etc/chrony.conf
oval:ssg-test_chronyd_client_only:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_chronyd_port_value:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/chrony.conf | ^\s*port[\s]+(\S+) | 1 |
Disable network management of chrony daemonxccdf_org.ssgproject.content_rule_chronyd_no_chronyc_network low
Disable network management of chrony daemon
| Rule ID | xccdf_org.ssgproject.content_rule_chronyd_no_chronyc_network |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-chronyd_no_chronyc_network:def:1 |
| Time | 2021-11-16T20:08:36+00:00 |
| Severity | low |
| Identifiers and References | References:
CCI-000381, FMT_SMF_EXT.1, SRG-OS-000096-GPOS-00050, SRG-OS-000095-GPOS-00049 |
| Description | The cmdport option in /etc/chrony.conf can be set to
0 to stop chrony daemon from listening on the UDP port 323
for management connections made by chronyc. |
| Rationale | Not exposing the management interface of the chrony daemon on
the network diminishes the attack space. |
|
|
OVAL test results detailspackage chrony is installed
oval:ssg-test_service_chronyd_package_chrony_installed:tst:1
true
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| chrony | x86_64 | (none) | 3.fc35 | 4.1 | 0:4.1-3.fc35 | db4639719867c58f | chrony-0:4.1-3.fc35.x86_64 |
Test that the chronyd service is running
oval:ssg-test_service_running_chronyd:tst:1
true
Following items have been found on the system:
| Unit | Property | Value |
|---|
| chronyd.service | ActiveState | active |
systemd test
oval:ssg-test_multi_user_wants_chronyd:tst:1
true
Following items have been found on the system:
| Unit | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency |
|---|
| multi-user.target | basic.target | -.mount | sysinit.target | systemd-tmpfiles-setup-dev.service | sys-fs-fuse-connections.mount | proc-sys-fs-binfmt_misc.automount | selinux-autorelabel-mark.service | systemd-boot-system-token.service | cryptsetup.target | local-fs.target | boot-efi.mount | boot.mount | home.mount | tmp.mount | systemd-remount-fs.service | systemd-udev-trigger.service | systemd-sysctl.service | veritysetup.target | systemd-journald.service | kmod-static-nodes.service | ldconfig.service | systemd-sysusers.service | dracut-shutdown.service | systemd-update-done.service | systemd-journal-catalog-update.service | systemd-hwdb-update.service | swap.target | dev-zram0.swap | systemd-repart.service | systemd-binfmt.service | sys-kernel-config.mount | systemd-tmpfiles-setup.service | systemd-random-seed.service | import-state.service | systemd-udevd.service | systemd-journal-flush.service | sys-kernel-tracing.mount | systemd-machine-id-commit.service | systemd-modules-load.service | sys-kernel-debug.mount | systemd-update-utmp.service | systemd-firstboot.service | dev-hugepages.mount | dev-mqueue.mount | systemd-ask-password-console.path | slices.target | -.slice | system.slice | timers.target | dnf-makecache.timer | dnf-automatic.timer | systemd-tmpfiles-clean.timer | unbound-anchor.timer | fstrim.timer | paths.target | sockets.target | systemd-udevd-kernel.socket | systemd-coredump.socket | systemd-journald-dev-log.socket | systemd-journald.socket | sssd-kcm.socket | systemd-userdbd.socket | systemd-journald-audit.socket | dbus.socket | systemd-initctl.socket | systemd-udevd-control.socket | rpmdb-rebuild.service | systemd-logind.service | systemd-ask-password-wall.path | systemd-homed.service | chronyd.service | auditd.service | systemd-oomd.service | sssd.service | getty.target | getty@tty1.service | NetworkManager.service | remote-fs.target | systemd-update-utmp-runlevel.service | systemd-user-sessions.service | systemd-resolved.service | sshd.service |
systemd test
oval:ssg-test_multi_user_wants_chronyd_socket:tst:1
false
Following items have been found on the system:
| Unit | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency |
|---|
| multi-user.target | basic.target | -.mount | sysinit.target | systemd-tmpfiles-setup-dev.service | sys-fs-fuse-connections.mount | proc-sys-fs-binfmt_misc.automount | selinux-autorelabel-mark.service | systemd-boot-system-token.service | cryptsetup.target | local-fs.target | boot-efi.mount | boot.mount | home.mount | tmp.mount | systemd-remount-fs.service | systemd-udev-trigger.service | systemd-sysctl.service | veritysetup.target | systemd-journald.service | kmod-static-nodes.service | ldconfig.service | systemd-sysusers.service | dracut-shutdown.service | systemd-update-done.service | systemd-journal-catalog-update.service | systemd-hwdb-update.service | swap.target | dev-zram0.swap | systemd-repart.service | systemd-binfmt.service | sys-kernel-config.mount | systemd-tmpfiles-setup.service | systemd-random-seed.service | import-state.service | systemd-udevd.service | systemd-journal-flush.service | sys-kernel-tracing.mount | systemd-machine-id-commit.service | systemd-modules-load.service | sys-kernel-debug.mount | systemd-update-utmp.service | systemd-firstboot.service | dev-hugepages.mount | dev-mqueue.mount | systemd-ask-password-console.path | slices.target | -.slice | system.slice | timers.target | dnf-makecache.timer | dnf-automatic.timer | systemd-tmpfiles-clean.timer | unbound-anchor.timer | fstrim.timer | paths.target | sockets.target | systemd-udevd-kernel.socket | systemd-coredump.socket | systemd-journald-dev-log.socket | systemd-journald.socket | sssd-kcm.socket | systemd-userdbd.socket | systemd-journald-audit.socket | dbus.socket | systemd-initctl.socket | systemd-udevd-control.socket | rpmdb-rebuild.service | systemd-logind.service | systemd-ask-password-wall.path | systemd-homed.service | chronyd.service | auditd.service | systemd-oomd.service | sssd.service | getty.target | getty@tty1.service | NetworkManager.service | remote-fs.target | systemd-update-utmp-runlevel.service | systemd-user-sessions.service | systemd-resolved.service | sshd.service |
check if cmdport is 0 in /etc/chrony.conf
oval:ssg-test_chronyd_no_chronyc_network:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_chronyd_cmdport_value:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/chrony.conf | ^\s*cmdport[\s]+(\S+) | 1 |
Enable the Hardware RNG Entropy Gatherer Servicexccdf_org.ssgproject.content_rule_service_rngd_enabled medium
Enable the Hardware RNG Entropy Gatherer Service
| Rule ID | xccdf_org.ssgproject.content_rule_service_rngd_enabled |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-service_rngd_enabled:def:1 |
| Time | 2021-11-16T20:08:36+00:00 |
| Severity | medium |
| Identifiers and References | References:
CCI-000366, FCS_RBG_EXT.1, SRG-OS-000480-GPOS-00227 |
| Description | The Hardware RNG Entropy Gatherer service should be enabled.
The rngd service can be enabled with the following command:
$ sudo systemctl enable rngd.service |
| Rationale | The rngd service
feeds random data from hardware device to kernel random device. |
|
|
|
OVAL test results detailspackage rng-tools is installed
oval:ssg-test_service_rngd_package_rng-tools_installed:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_service_rngd_package_rng-tools_installed:obj:1 of type
rpminfo_object
Test that the rngd service is running
oval:ssg-test_service_running_rngd:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_service_running_rngd:obj:1 of type
systemdunitproperty_object
| Unit | Property |
|---|
| ^rngd\.(socket|service)$ | ActiveState |
systemd test
oval:ssg-test_multi_user_wants_rngd:tst:1
false
Following items have been found on the system:
| Unit | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency |
|---|
| multi-user.target | basic.target | -.mount | sysinit.target | systemd-tmpfiles-setup-dev.service | sys-fs-fuse-connections.mount | proc-sys-fs-binfmt_misc.automount | selinux-autorelabel-mark.service | systemd-boot-system-token.service | cryptsetup.target | local-fs.target | boot-efi.mount | boot.mount | home.mount | tmp.mount | systemd-remount-fs.service | systemd-udev-trigger.service | systemd-sysctl.service | veritysetup.target | systemd-journald.service | kmod-static-nodes.service | ldconfig.service | systemd-sysusers.service | dracut-shutdown.service | systemd-update-done.service | systemd-journal-catalog-update.service | systemd-hwdb-update.service | swap.target | dev-zram0.swap | systemd-repart.service | systemd-binfmt.service | sys-kernel-config.mount | systemd-tmpfiles-setup.service | systemd-random-seed.service | import-state.service | systemd-udevd.service | systemd-journal-flush.service | sys-kernel-tracing.mount | systemd-machine-id-commit.service | systemd-modules-load.service | sys-kernel-debug.mount | systemd-update-utmp.service | systemd-firstboot.service | dev-hugepages.mount | dev-mqueue.mount | systemd-ask-password-console.path | slices.target | -.slice | system.slice | timers.target | dnf-makecache.timer | dnf-automatic.timer | systemd-tmpfiles-clean.timer | unbound-anchor.timer | fstrim.timer | paths.target | sockets.target | systemd-udevd-kernel.socket | systemd-coredump.socket | systemd-journald-dev-log.socket | systemd-journald.socket | sssd-kcm.socket | systemd-userdbd.socket | systemd-journald-audit.socket | dbus.socket | systemd-initctl.socket | systemd-udevd-control.socket | rpmdb-rebuild.service | systemd-logind.service | systemd-ask-password-wall.path | systemd-homed.service | chronyd.service | auditd.service | systemd-oomd.service | sssd.service | getty.target | getty@tty1.service | NetworkManager.service | remote-fs.target | systemd-update-utmp-runlevel.service | systemd-user-sessions.service | systemd-resolved.service | sshd.service |
systemd test
oval:ssg-test_multi_user_wants_rngd_socket:tst:1
false
Following items have been found on the system:
| Unit | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency |
|---|
| multi-user.target | basic.target | -.mount | sysinit.target | systemd-tmpfiles-setup-dev.service | sys-fs-fuse-connections.mount | proc-sys-fs-binfmt_misc.automount | selinux-autorelabel-mark.service | systemd-boot-system-token.service | cryptsetup.target | local-fs.target | boot-efi.mount | boot.mount | home.mount | tmp.mount | systemd-remount-fs.service | systemd-udev-trigger.service | systemd-sysctl.service | veritysetup.target | systemd-journald.service | kmod-static-nodes.service | ldconfig.service | systemd-sysusers.service | dracut-shutdown.service | systemd-update-done.service | systemd-journal-catalog-update.service | systemd-hwdb-update.service | swap.target | dev-zram0.swap | systemd-repart.service | systemd-binfmt.service | sys-kernel-config.mount | systemd-tmpfiles-setup.service | systemd-random-seed.service | import-state.service | systemd-udevd.service | systemd-journal-flush.service | sys-kernel-tracing.mount | systemd-machine-id-commit.service | systemd-modules-load.service | sys-kernel-debug.mount | systemd-update-utmp.service | systemd-firstboot.service | dev-hugepages.mount | dev-mqueue.mount | systemd-ask-password-console.path | slices.target | -.slice | system.slice | timers.target | dnf-makecache.timer | dnf-automatic.timer | systemd-tmpfiles-clean.timer | unbound-anchor.timer | fstrim.timer | paths.target | sockets.target | systemd-udevd-kernel.socket | systemd-coredump.socket | systemd-journald-dev-log.socket | systemd-journald.socket | sssd-kcm.socket | systemd-userdbd.socket | systemd-journald-audit.socket | dbus.socket | systemd-initctl.socket | systemd-udevd-control.socket | rpmdb-rebuild.service | systemd-logind.service | systemd-ask-password-wall.path | systemd-homed.service | chronyd.service | auditd.service | systemd-oomd.service | sssd.service | getty.target | getty@tty1.service | NetworkManager.service | remote-fs.target | systemd-update-utmp-runlevel.service | systemd-user-sessions.service | systemd-resolved.service | sshd.service |
Disable Host-Based Authenticationxccdf_org.ssgproject.content_rule_disable_host_auth medium
Disable Host-Based Authentication
| Rule ID | xccdf_org.ssgproject.content_rule_disable_host_auth |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-disable_host_auth:def:1 |
| Time | 2021-11-16T20:08:36+00:00 |
| Severity | medium |
| Identifiers and References | References:
11, 12, 14, 15, 16, 18, 3, 5, 9, 5.5.6, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.03, DSS06.06, 3.1.12, CCI-000366, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-3 R5.1.1, CIP-003-3 R5.3, CIP-004-3 R2.2.3, CIP-004-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, AC-3, AC-17(a), CM-7(a), CM-7(b), CM-6(a), PR.AC-4, PR.AC-6, PR.IP-1, PR.PT-3, FIA_UAU.1, SRG-OS-000480-GPOS-00229, SRG-OS-000480-VMM-002000 |
| Description | SSH's cryptographic host-based authentication is
more secure than .rhosts authentication. However, it is
not recommended that hosts unilaterally trust one another, even
within an organization.
To disable host-based authentication, add or correct the
following line in /etc/ssh/sshd_config:
HostbasedAuthentication no |
| Rationale | SSH trust relationships mean a compromise on one host
can allow an attacker to move trivially to other hosts. |
|
|
|
OVAL test results detailsVerify if Profile set Value sshd_required as not required
oval:ssg-test_sshd_not_required:tst:1
false
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is removed
oval:ssg-test_package_openssh-server_removed:tst:1
false
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| openssh-server | x86_64 | (none) | 2.fc35 | 8.7p1 | 0:8.7p1-2.fc35 | db4639719867c58f | openssh-server-0:8.7p1-2.fc35.x86_64 |
Verify if Profile set Value sshd_required as required
oval:ssg-test_sshd_required:tst:1
false
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is installed
oval:ssg-test_package_openssh-server_installed:tst:1
true
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| openssh-server | x86_64 | (none) | 2.fc35 | 8.7p1 | 0:8.7p1-2.fc35 | db4639719867c58f | openssh-server-0:8.7p1-2.fc35.x86_64 |
tests the value of HostbasedAuthentication setting in the /etc/ssh/sshd_config file
oval:ssg-test_disable_host_auth:tst:1
error
No items have been found conforming to the following objects:
Object oval:ssg-obj_disable_host_auth:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/ssh/sshd_config | ^[ \t]*(?i)HostbasedAuthentication(?-i)[ \t]+(.+?)[ \t]*(?:$|#) | 1 |
tests the absence of HostbasedAuthentication setting in the /etc/ssh/sshd_config file
oval:ssg-test_disable_host_auth_default_not_overriden:tst:1
error
No items have been found conforming to the following objects:
Object oval:ssg-obj_disable_host_auth_default_not_overriden:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/ssh/sshd_config | ^[ \t]*(?i)HostbasedAuthentication(?-i)[ \t]+ | 1 |
tests the absence of HostbasedAuthentication setting in the /etc/ssh/sshd_config file
oval:ssg-test_disable_host_auth_config_dir_default_not_overriden:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_disable_host_auth_config_dir_default_not_overriden:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/ssh/sshd_config | .*\.conf$ | ^[ \t]*(?i)HostbasedAuthentication(?-i)[ \t]+ | 1 |
tests the value of HostbasedAuthentication setting in the /etc/ssh/sshd_config.d file
oval:ssg-test_disable_host_auth_config_dir:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_disable_host_auth_config_dir:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/ssh/sshd_config.d | .*\.conf$ | ^[ \t]*(?i)HostbasedAuthentication(?-i)[ \t]+(.+?)[ \t]*(?:$|#) | 1 |
Disable SSH Access via Empty Passwordsxccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords high
Disable SSH Access via Empty Passwords
| Rule ID | xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sshd_disable_empty_passwords:def:1 |
| Time | 2021-11-16T20:08:36+00:00 |
| Severity | high |
| Identifiers and References | References:
NT007(R17), 11, 12, 13, 14, 15, 16, 18, 3, 5, 9, 5.5.6, APO01.06, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.03, DSS06.06, 3.1.1, 3.1.5, CCI-000366, CCI-000766, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, AC-17(a), CM-7(a), CM-7(b), CM-6(a), PR.AC-4, PR.AC-6, PR.DS-5, PR.IP-1, PR.PT-3, FIA_UAU.1, SRG-OS-000106-GPOS-00053, SRG-OS-000480-GPOS-00229, SRG-OS-000480-GPOS-00227, SRG-OS-000480-VMM-002000 |
| Description | To explicitly disallow SSH login from accounts with
empty passwords, add or correct the following line in /etc/ssh/sshd_config:
PermitEmptyPasswords no
Any accounts with empty passwords should be disabled immediately, and PAM configuration
should prevent users from being able to assign themselves empty passwords. |
| Rationale | Configuring this setting for the SSH daemon provides additional assurance
that remote login via SSH will require a password, even in the event of
misconfiguration elsewhere. |
|
|
OVAL test results detailsVerify if Profile set Value sshd_required as not required
oval:ssg-test_sshd_not_required:tst:1
false
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is removed
oval:ssg-test_package_openssh-server_removed:tst:1
false
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| openssh-server | x86_64 | (none) | 2.fc35 | 8.7p1 | 0:8.7p1-2.fc35 | db4639719867c58f | openssh-server-0:8.7p1-2.fc35.x86_64 |
Verify if Profile set Value sshd_required as required
oval:ssg-test_sshd_required:tst:1
false
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is installed
oval:ssg-test_package_openssh-server_installed:tst:1
true
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| openssh-server | x86_64 | (none) | 2.fc35 | 8.7p1 | 0:8.7p1-2.fc35 | db4639719867c58f | openssh-server-0:8.7p1-2.fc35.x86_64 |
tests the value of PermitEmptyPasswords setting in the /etc/ssh/sshd_config file
oval:ssg-test_sshd_disable_empty_passwords:tst:1
error
No items have been found conforming to the following objects:
Object oval:ssg-obj_sshd_disable_empty_passwords:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/ssh/sshd_config | ^[ \t]*(?i)PermitEmptyPasswords(?-i)[ \t]+(.+?)[ \t]*(?:$|#) | 1 |
tests the absence of PermitEmptyPasswords setting in the /etc/ssh/sshd_config file
oval:ssg-test_sshd_disable_empty_passwords_default_not_overriden:tst:1
error
No items have been found conforming to the following objects:
Object oval:ssg-obj_sshd_disable_empty_passwords_default_not_overriden:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/ssh/sshd_config | ^[ \t]*(?i)PermitEmptyPasswords(?-i)[ \t]+ | 1 |
tests the absence of PermitEmptyPasswords setting in the /etc/ssh/sshd_config file
oval:ssg-test_sshd_disable_empty_passwords_config_dir_default_not_overriden:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_sshd_disable_empty_passwords_config_dir_default_not_overriden:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/ssh/sshd_config | .*\.conf$ | ^[ \t]*(?i)PermitEmptyPasswords(?-i)[ \t]+ | 1 |
tests the value of PermitEmptyPasswords setting in the /etc/ssh/sshd_config.d file
oval:ssg-test_sshd_disable_empty_passwords_config_dir:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_sshd_disable_empty_passwords_config_dir:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/ssh/sshd_config.d | .*\.conf$ | ^[ \t]*(?i)PermitEmptyPasswords(?-i)[ \t]+(.+?)[ \t]*(?:$|#) | 1 |
Disable GSSAPI Authenticationxccdf_org.ssgproject.content_rule_sshd_disable_gssapi_auth medium
Disable GSSAPI Authentication
| Rule ID | xccdf_org.ssgproject.content_rule_sshd_disable_gssapi_auth |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sshd_disable_gssapi_auth:def:1 |
| Time | 2021-11-16T20:08:36+00:00 |
| Severity | medium |
| Identifiers and References | References:
11, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, 3.1.12, CCI-000318, CCI-000368, CCI-001812, CCI-001813, CCI-001814, CCI-000366, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.4.3.2, 4.3.4.3.3, SR 7.6, 0418, 1055, 1402, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, CM-7(a), CM-7(b), CM-6(a), AC-17(a), PR.IP-1, FTP_ITC_EXT.1, SRG-OS-000364-GPOS-00151, SRG-OS-000480-GPOS-00227, SRG-OS-000480-VMM-002000 |
| Description | Unless needed, SSH should not permit extraneous or unnecessary
authentication mechanisms like GSSAPI. To disable GSSAPI authentication, add or
correct the following line in the /etc/ssh/sshd_config file:
GSSAPIAuthentication no |
| Rationale | GSSAPI authentication is used to provide additional authentication mechanisms to
applications. Allowing GSSAPI authentication through SSH exposes the system's
GSSAPI to remote hosts, increasing the attack surface of the system. |
|
|
OVAL test results detailsVerify if Profile set Value sshd_required as not required
oval:ssg-test_sshd_not_required:tst:1
false
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is removed
oval:ssg-test_package_openssh-server_removed:tst:1
false
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| openssh-server | x86_64 | (none) | 2.fc35 | 8.7p1 | 0:8.7p1-2.fc35 | db4639719867c58f | openssh-server-0:8.7p1-2.fc35.x86_64 |
Verify if Profile set Value sshd_required as required
oval:ssg-test_sshd_required:tst:1
false
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is installed
oval:ssg-test_package_openssh-server_installed:tst:1
true
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| openssh-server | x86_64 | (none) | 2.fc35 | 8.7p1 | 0:8.7p1-2.fc35 | db4639719867c58f | openssh-server-0:8.7p1-2.fc35.x86_64 |
tests the value of GSSAPIAuthentication setting in the /etc/ssh/sshd_config file
oval:ssg-test_sshd_disable_gssapi_auth:tst:1
error
No items have been found conforming to the following objects:
Object oval:ssg-obj_sshd_disable_gssapi_auth:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/ssh/sshd_config | ^[ \t]*(?i)GSSAPIAuthentication(?-i)[ \t]+(.+?)[ \t]*(?:$|#) | 1 |
tests the absence of GSSAPIAuthentication setting in the /etc/ssh/sshd_config file
oval:ssg-test_sshd_disable_gssapi_auth_default_not_overriden:tst:1
error
No items have been found conforming to the following objects:
Object oval:ssg-obj_sshd_disable_gssapi_auth_default_not_overriden:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/ssh/sshd_config | ^[ \t]*(?i)GSSAPIAuthentication(?-i)[ \t]+ | 1 |
tests the absence of GSSAPIAuthentication setting in the /etc/ssh/sshd_config file
oval:ssg-test_sshd_disable_gssapi_auth_config_dir_default_not_overriden:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_sshd_disable_gssapi_auth_config_dir_default_not_overriden:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/ssh/sshd_config | .*\.conf$ | ^[ \t]*(?i)GSSAPIAuthentication(?-i)[ \t]+ | 1 |
tests the value of GSSAPIAuthentication setting in the /etc/ssh/sshd_config.d file
oval:ssg-test_sshd_disable_gssapi_auth_config_dir:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_sshd_disable_gssapi_auth_config_dir:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/ssh/sshd_config.d | .*\.conf$ | ^[ \t]*(?i)GSSAPIAuthentication(?-i)[ \t]+(.+?)[ \t]*(?:$|#) | 1 |
Disable Kerberos Authenticationxccdf_org.ssgproject.content_rule_sshd_disable_kerb_auth medium
Disable Kerberos Authentication
| Rule ID | xccdf_org.ssgproject.content_rule_sshd_disable_kerb_auth |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sshd_disable_kerb_auth:def:1 |
| Time | 2021-11-16T20:08:36+00:00 |
| Severity | medium |
| Identifiers and References | References:
11, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, 3.1.12, CCI-000318, CCI-000368, CCI-001812, CCI-001813, CCI-001814, CCI-000366, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.4.3.2, 4.3.4.3.3, SR 7.6, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, AC-17(a), CM-7(a), CM-7(b), CM-6(a), PR.IP-1, FTP_ITC_EXT.1, SRG-OS-000364-GPOS-00151, SRG-OS-000480-GPOS-00227, SRG-OS-000480-VMM-002000 |
| Description | Unless needed, SSH should not permit extraneous or unnecessary
authentication mechanisms like Kerberos. To disable Kerberos authentication, add
or correct the following line in the /etc/ssh/sshd_config file:
KerberosAuthentication no |
| Rationale | Kerberos authentication for SSH is often implemented using GSSAPI. If Kerberos
is enabled through SSH, the SSH daemon provides a means of access to the
system's Kerberos implementation. Vulnerabilities in the system's Kerberos
implementations may be subject to exploitation. |
|
|
OVAL test results detailsVerify if Profile set Value sshd_required as not required
oval:ssg-test_sshd_not_required:tst:1
false
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is removed
oval:ssg-test_package_openssh-server_removed:tst:1
false
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| openssh-server | x86_64 | (none) | 2.fc35 | 8.7p1 | 0:8.7p1-2.fc35 | db4639719867c58f | openssh-server-0:8.7p1-2.fc35.x86_64 |
Verify if Profile set Value sshd_required as required
oval:ssg-test_sshd_required:tst:1
false
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is installed
oval:ssg-test_package_openssh-server_installed:tst:1
true
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| openssh-server | x86_64 | (none) | 2.fc35 | 8.7p1 | 0:8.7p1-2.fc35 | db4639719867c58f | openssh-server-0:8.7p1-2.fc35.x86_64 |
tests the value of KerberosAuthentication setting in the /etc/ssh/sshd_config file
oval:ssg-test_sshd_disable_kerb_auth:tst:1
error
No items have been found conforming to the following objects:
Object oval:ssg-obj_sshd_disable_kerb_auth:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/ssh/sshd_config | ^[ \t]*(?i)KerberosAuthentication(?-i)[ \t]+(.+?)[ \t]*(?:$|#) | 1 |
tests the absence of KerberosAuthentication setting in the /etc/ssh/sshd_config file
oval:ssg-test_sshd_disable_kerb_auth_default_not_overriden:tst:1
error
No items have been found conforming to the following objects:
Object oval:ssg-obj_sshd_disable_kerb_auth_default_not_overriden:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/ssh/sshd_config | ^[ \t]*(?i)KerberosAuthentication(?-i)[ \t]+ | 1 |
tests the absence of KerberosAuthentication setting in the /etc/ssh/sshd_config file
oval:ssg-test_sshd_disable_kerb_auth_config_dir_default_not_overriden:tst:1
true
No items have been found conforming to the following objects:
Object oval:ssg-obj_sshd_disable_kerb_auth_config_dir_default_not_overriden:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/ssh/sshd_config | .*\.conf$ | ^[ \t]*(?i)KerberosAuthentication(?-i)[ \t]+ | 1 |
tests the value of KerberosAuthentication setting in the /etc/ssh/sshd_config.d file
oval:ssg-test_sshd_disable_kerb_auth_config_dir:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_sshd_disable_kerb_auth_config_dir:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/ssh/sshd_config.d | .*\.conf$ | ^[ \t]*(?i)KerberosAuthentication(?-i)[ \t]+(.+?)[ \t]*(?:$|#) | 1 |
Disable SSH Root Loginxccdf_org.ssgproject.content_rule_sshd_disable_root_login medium
Disable SSH Root Login
| Rule ID | xccdf_org.ssgproject.content_rule_sshd_disable_root_login |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sshd_disable_root_login:def:1 |
| Time | 2021-11-16T20:08:36+00:00 |
| Severity | medium |
| Identifiers and References | References:
BP28(R19), NT007(R21), 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 5.5.6, APO01.06, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.02, DSS06.03, DSS06.06, DSS06.10, 3.1.1, 3.1.5, CCI-000366, CCI-000770, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.18.1.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CIP-003-3 R5.1.1, CIP-003-3 R5.3, CIP-004-3 R2.2.3, CIP-004-3 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, AC-6(2), AC-17(a), IA-2, IA-2(5), CM-7(a), CM-7(b), CM-6(a), PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.DS-5, PR.PT-3, FIA_UAU.1, SRG-OS-000109-GPOS-00056, SRG-OS-000480-GPOS-00227, SRG-OS-000480-VMM-002000 |
| Description | The root user should never be allowed to login to a
system directly over a network.
To disable root login via SSH, add or correct the following line
in /etc/ssh/sshd_config:
PermitRootLogin no |
| Rationale | Even though the communications channel may be encrypted, an additional layer of
security is gained by extending the policy of not logging directly on as root.
In addition, logging in with a user-specific account provides individual
accountability of actions performed on the system and also helps to minimize
direct attack attempts on root's password. |
|
|
OVAL test results detailsVerify if Profile set Value sshd_required as not required
oval:ssg-test_sshd_not_required:tst:1
false
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is removed
oval:ssg-test_package_openssh-server_removed:tst:1
false
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| openssh-server | x86_64 | (none) | 2.fc35 | 8.7p1 | 0:8.7p1-2.fc35 | db4639719867c58f | openssh-server-0:8.7p1-2.fc35.x86_64 |
Verify if Profile set Value sshd_required as required
oval:ssg-test_sshd_required:tst:1
false
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is installed
oval:ssg-test_package_openssh-server_installed:tst:1
true
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| openssh-server | x86_64 | (none) | 2.fc35 | 8.7p1 | 0:8.7p1-2.fc35 | db4639719867c58f | openssh-server-0:8.7p1-2.fc35.x86_64 |
tests the value of PermitRootLogin setting in the /etc/ssh/sshd_config file
oval:ssg-test_sshd_disable_root_login:tst:1
error
No items have been found conforming to the following objects:
Object oval:ssg-obj_sshd_disable_root_login:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/ssh/sshd_config | ^[ \t]*(?i)PermitRootLogin(?-i)[ \t]+(.+?)[ \t]*(?:$|#) | 1 |
tests the value of PermitRootLogin setting in the /etc/ssh/sshd_config.d file
oval:ssg-test_sshd_disable_root_login_config_dir:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_sshd_disable_root_login_config_dir:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/ssh/sshd_config.d | .*\.conf$ | ^[ \t]*(?i)PermitRootLogin(?-i)[ \t]+(.+?)[ \t]*(?:$|#) | 1 |
Enable SSH Warning Bannerxccdf_org.ssgproject.content_rule_sshd_enable_warning_banner medium
Enable SSH Warning Banner
| Rule ID | xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sshd_enable_warning_banner:def:1 |
| Time | 2021-11-16T20:08:36+00:00 |
| Severity | medium |
| Identifiers and References | References:
1, 12, 15, 16, 5.5.6, DSS05.04, DSS05.10, DSS06.10, 3.1.9, CCI-000048, CCI-000050, CCI-001384, CCI-001385, CCI-001386, CCI-001387, CCI-001388, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, AC-8(a), AC-8(c), AC-17(a), CM-6(a), PR.AC-7, FTA_TAB.1, SRG-OS-000023-GPOS-00006, SRG-OS-000024-GPOS-00007, SRG-OS-000228-GPOS-00088, SRG-OS-000023-VMM-000060, SRG-OS-000024-VMM-000070 |
| Description | To enable the warning banner and ensure it is consistent
across the system, add or correct the following line in /etc/ssh/sshd_config:
Banner /etc/issue
Another section contains information on how to create an
appropriate system-wide warning banner. |
| Rationale | The warning message reinforces policy awareness during the logon process and
facilitates possible legal action against attackers. Alternatively, systems
whose ownership should not be obvious should ensure usage of a banner that does
not provide easy attribution. |
|
|
OVAL test results detailsVerify if Profile set Value sshd_required as not required
oval:ssg-test_sshd_not_required:tst:1
false
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is removed
oval:ssg-test_package_openssh-server_removed:tst:1
false
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| openssh-server | x86_64 | (none) | 2.fc35 | 8.7p1 | 0:8.7p1-2.fc35 | db4639719867c58f | openssh-server-0:8.7p1-2.fc35.x86_64 |
Verify if Profile set Value sshd_required as required
oval:ssg-test_sshd_required:tst:1
false
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is installed
oval:ssg-test_package_openssh-server_installed:tst:1
true
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| openssh-server | x86_64 | (none) | 2.fc35 | 8.7p1 | 0:8.7p1-2.fc35 | db4639719867c58f | openssh-server-0:8.7p1-2.fc35.x86_64 |
tests the value of Banner setting in the /etc/ssh/sshd_config file
oval:ssg-test_sshd_enable_warning_banner:tst:1
error
No items have been found conforming to the following objects:
Object oval:ssg-obj_sshd_enable_warning_banner:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| /etc/ssh/sshd_config | ^[ \t]*(?i)Banner(?-i)[ \t]+(.+?)[ \t]*(?:$|#) | 1 |
tests the value of Banner setting in the /etc/ssh/sshd_config.d file
oval:ssg-test_sshd_enable_warning_banner_config_dir:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_sshd_enable_warning_banner_config_dir:obj:1 of type
textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|
| /etc/ssh/sshd_config.d | .*\.conf$ | ^[ \t]*(?i)Banner(?-i)[ \t]+(.+?)[ \t]*(?:$|#) | 1 |
Force frequent session key renegotiationxccdf_org.ssgproject.content_rule_sshd_rekey_limit medium
Force frequent session key renegotiation
| Rule ID | xccdf_org.ssgproject.content_rule_sshd_rekey_limit |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sshd_rekey_limit:def:1 |
| Time | 2021-11-16T20:08:36+00:00 |
| Severity | medium |
| Identifiers and References | References:
CCI-000068, FCS_SSHS_EXT.1, SRG-OS-000480-GPOS-00227, SRG-OS-000033-GPOS-00014 |
| Description | The RekeyLimit parameter specifies how often
the session key of the is renegotiated, both in terms of
amount of data that may be transmitted and the time
elapsed. To decrease the default limits, put line
RekeyLimit 512M 1h to file /etc/ssh/sshd_config. |
| Rationale | By decreasing the limit based on the amount of data and enabling
time-based limit, effects of potential attacks against
encryption keys are limited. |
|
|
OVAL test results detailsVerify if Profile set Value sshd_required as not required
oval:ssg-test_sshd_not_required:tst:1
false
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is removed
oval:ssg-test_package_openssh-server_removed:tst:1
false
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| openssh-server | x86_64 | (none) | 2.fc35 | 8.7p1 | 0:8.7p1-2.fc35 | db4639719867c58f | openssh-server-0:8.7p1-2.fc35.x86_64 |
Verify if Profile set Value sshd_required as required
oval:ssg-test_sshd_required:tst:1
false
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default
oval:ssg-test_sshd_requirement_unset:tst:1
true
Following items have been found on the system:
| Var ref | Value |
|---|
| oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is installed
oval:ssg-test_package_openssh-server_installed:tst:1
true
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|
| openssh-server | x86_64 | (none) | 2.fc35 | 8.7p1 | 0:8.7p1-2.fc35 | db4639719867c58f | openssh-server-0:8.7p1-2.fc35.x86_64 |
tests the value of RekeyLimit setting in the file
oval:ssg-test_sshd_rekey_limit:tst:1
error
No items have been found conforming to the following objects:
Object oval:ssg-obj_sshd_rekey_limit:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| 1h | | 512M | | ^[\s]*RekeyLimit[\s]+512M[\s]+1h[\s]*$ | open(): '/etc/ssh/sshd_config' Permission denied. | /etc/ssh/sshd_config | 1 |
Configure SSSD to run as user sssdxccdf_org.ssgproject.content_rule_sssd_run_as_sssd_user medium
Configure SSSD to run as user sssd
| Rule ID | xccdf_org.ssgproject.content_rule_sssd_run_as_sssd_user |
| Result | |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sssd_run_as_sssd_user:def:1 |
| Time | 2021-11-16T20:08:36+00:00 |
| Severity | medium |
| Identifiers and References | References:
FMT_SMF_EXT.1, SRG-OS-000480-GPOS-00227 |
| Description | SSSD processes should be configured to run as user sssd, not root. |
| Rationale | To minimize privileges of SSSD processes, they are configured to
run as non-root user. |
|
OVAL test results detailstests the value of user setting in SSSD config files
oval:ssg-test_sssd_run_as_sssd_user:tst:1
false
No items have been found conforming to the following objects:
Object oval:ssg-obj_sssd_user_value:obj:1 of type
textfilecontent54_object
| Filepath | Pattern | Instance |
|---|
| ^/etc/sssd/(sssd|conf\.d/.*)\.conf$ | ^\s*\[sssd\].*(?:\n\s*[^[\s].*)*\n\s*user[ \t]*=[ \t]*(\S*) | 1 |
Scroll back to the first rule